Bug 1790450
| Summary: | Installation of pcp-pmda-netcheck causes SELinux issues | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jan Kurik <jkurik> |
| Component: | pcp | Assignee: | Nathan Scott <nathans> |
| Status: | CLOSED DUPLICATE | QA Contact: | Jan Kurik <jkurik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | agerstmayr, jkurik, mgoodwin, myllynen, nathans, patrickm |
| Target Milestone: | rc | Keywords: | Bugfix, Triaged |
| Target Release: | 8.4 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-18 15:02:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Resolved through a series of upstream commits from Marko:
commit a0d16c21a8af29e832608db635f884694cfc11f2
Author: Marko Myllynen <myllynen>
Date: Fri Nov 8 17:30:48 2019 +0200
pmdanetcheck: tighten SELinux rules on Fedora 31+
When icmp_socket is available do not allow the previously
used rawip_socket any more as only icmp_socket is needed.
commit d92e87ede67e5e54f797ca6383aaef77aa7c1bf0
Author: Marko Myllynen <myllynen>
Date: Mon Nov 4 11:42:59 2019 +0200
pmdanetcheck: Fedora 31 SELinux fix
Commit 390f94e4 was incomplete as it missed the part shown after:
$ sudo semodule -DB
(This hint was recently added to PCP SELinux README.)
commit 390f94e4fd9f578ba3288d760411f3d642869ccb
Author: Marko Myllynen <myllynen>
Date: Wed Oct 30 09:22:26 2019 +0200
pmdanetcheck: Fedora 31 SELinux fix
Update SELinux policy for pmdanetcheck on Fedora 31.
Minor cosmetic consistency fix for easier searching included as well.
commit fdb5bd8c264cc21a9528284335662990d07b54d2
Author: Marko Myllynen <myllynen>
Date: Thu Oct 10 18:44:52 2019 +0300
selinux: adjust rules for pmda.netcheck
PMDA and QA 1160 fails without this, revealed after running semodule -DB.
commit 09dbd6fc8743bd9b24b97893f1a4183d01f2c263
Author: Marko Myllynen <myllynen>
Date: Thu Oct 10 00:28:29 2019 +0300
selinux: make icmp_socket optional, not present on RHEL 6
Update QA 917 to match the current status as well, also remove
an older debugging leftover.
commit 2d6a4b6a25cf57c4b8577acfce7ca863a92e002f
Author: Marko Myllynen <myllynen>
Date: Wed Oct 2 13:20:37 2019 +0300
selinux: final pmda.netcheck addition
Follow-up of commit 9bf7d8fd and commit cd9a1d4d, this was seen on F30.
commit 9bf7d8fde79005a6ce22889ae9b7cf68db66df59
Author: Marko Myllynen <myllynen>
Date: Wed Oct 2 13:49:29 2019 +1000
selinux: add policy rules for pmdanetcheck
PMDA netcheck uses ping(1) to check the status of monitored
hosts, this requires new SELinux rules. It could be possible
to create a pure Python implementation which would only hit
the following (based on testing with rudimentary test code):
avc: denied { connect }
avc: denied { create }
avc: denied { net_raw }
avc: denied { setopt }
However, there seems to be no existing and maintained Python
module that would match ping(1) functionality and cases like
https://android.googlesource.com/kernel/tests/+/master/net/test/ping6_test.py
hint that having a reliable Python ping module might turn
into a more involved effort than the whole PMDA itself.
Using ping(1) the above connect AVC is not seen but these are
appearing instead:
avc: denied { execute }
avc: denied { execute_no_trans }
avc: denied { getopt }
avc: denied { map }
avc: denied { setcap }
This commit updates the PCP SELinux policy to allow these to
allow doing network checks by calling ping(1) from PMDA netcheck.
Ideally, these could be separated as per-PMDA booleans or rules
as per https://github.com/performancecopilot/pcp/issues/388 but
for the time being we use the same approach as before.
This will be resolved by rebase to pcp-5.1.x *** This bug has been marked as a duplicate of bug 1792971 *** This issue still persist in pcp-5.1.1-2.el8 build. I tried to reproduce this with pcp-pmda-netcheck-5.0.2-5.el8.x86_64 pcp-selinux-5.0.2-5.el8.x86_64 pcp-5.0.2-5.el8.x86_64 kernel-4.18.0-193.14.3.el8_2.x86_64 selinux-policy-targeted-3.14.3-41.el8_2.5.noarch but I don't see any AVCs after installing and using the netcheck PMDA. Could you perhaps try again with everything up-to-date and see if this still reproduces for you? Thanks. (In reply to Marko Myllynen from comment #7) > Could you perhaps try again with everything up-to-date and see if this still > reproduces for you? Yes, I can still reproduce the issue on the latest RHEL-8.2.1 release. * pcp-pmda-netcheck-5.0.2-5.el8.x86_64 * pcp-selinux-5.0.2-5.el8.x86_64 * pcp-5.0.2-5.el8.x86_64 * kernel-4.18.0-193.13.2.el8_2.x86_64 * selinux-policy-targeted-3.14.3-41.el8_2.5.noarch Ok, I tried on a freshly spinned RHEL 8 VM and was also able to reproduce with these versions: pcp-pmda-netcheck-5.1.1-3.el8.x86_64 pcp-selinux-5.1.1-3.el8.x86_64 pcp-5.1.1-3.el8.x86_64 kernel-4.18.0-234.el8.x86_64 selinux-policy-targeted-3.14.3-53.el8.noarch However, when building pcp git master on latest RHEL 8 and updating [*] to the latest PCP version (so upcoming PCP 5.2.1) this works. But curiously enough the related PCP SELinux changes are already included in PCP 5.1.1. I think we saw some unexpected failures on earlier RHEL 8 versions when building PCP so either PCP 5.2 has a fix that helps and I am unaware of or there was an issue with earlier RHEL 8 kernel/selinux versions that since then has been fixed. I'm not sure is any of you in a position to try to rebuild latest PCP version in Koji on the latest RHEL 8 so see does that already help? In any case, it looks like code-wise latest pcp git master is already ok and we'd need to figure out the needed build/version for RHEL 8 to address this issue. *) I noticed when updating from PCP 5.1.1 to PCP 5.2.1 I had to manually to restart pmcd after the update to make the PMDA to work, perhaps it would be a matter of a separate BZ why such a manual restart was required. Thanks. Fixed in rebase to pcp-5.2.1-2.el8 build. This issue has re-occurred in pcp-5.2.3-1.el8 build. *** This bug has been marked as a duplicate of bug 1897719 *** |
Description of problem: Installation of pcp-pmda-netcheck PMDA on a fresh RHEL-8.2 system triggers SELinux issues. Version-Release number of selected component (if applicable): * pcp-pmda-netcheck-5.0.2-2.el8 How reproducible: Always Steps to Reproduce: 1.On a fresh RHEL-8.2 system install pcp-pmda-netcheck # yum install -y pcp-pmda-netcheck 2. Run an installation script of the PMDA # cd /var/lib/pcp/pmdas/netcheck/ && ./Install 3. Check SELinux reports using ausearch or audit2allow tools # ausearch -m AVC,USER_AVC # audit2allow -a Actual results: SELinux issues reported: type=AVC msg=audit(01/09/2020 03:11:58.402:1044) : avc: denied { create } for pid=9790 comm=ping scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=rawip_socket permissive=0 #============= pcp_pmcd_t ============== allow pcp_pmcd_t self:rawip_socket create; Expected results: The installation and run of the PMDA does not produce any SELinux issues.