Bug 2354857

Summary: SELinux is preventing /usr/sbin/collectd from name_bind access on the tcp_socket port 9103
Product: [Fedora] Fedora Reporter: Matthew LeSieur <matthew.lesieur>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 41CC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-41.39-1.fc41 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-05-14 01:19:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew LeSieur 2025-03-25 13:47:06 UTC 
SELinux is denying collectd from opening port 9103, which is used by the write_prometheus plugin.  Setting setenforce to 0 allows the collectd to use the port.  I added tcp/9103 to collectd_port_t and set the collectd_tcp_network_connect to "on".  Details below.

Mar 25 09:30:14 fedora41.example.com systemd[1]: Starting collectd.service - Collectd statistics daemon...
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "syslog" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "cpu" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "interface" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "load" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "memory" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "write_prometheus" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: Systemd detected, trying to signal readiness.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: write_prometheus plugin: Opening a listening socket for [::]:9103 failed.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: Initialization of plugin `write_prometheus' failed with status -1. Plugin will be unloaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_unregister_read: No such read function: write_prometheus
Mar 25 09:30:14 fedora41.example.com collectd[1907]: Error: one or more plugin init callbacks failed.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: Initialization complete, entering read-loop.
Mar 25 09:30:14 fedora41.example.com systemd[1]: Started collectd.service - Collectd statistics daemon.

# semanage port -l | grep collectd
collectd_port_t                tcp      9103
collectd_port_t                udp      25826

# getsebool collectd_tcp_network_connect
collectd_tcp_network_connect --> on

# sealert -l 0f8a6a8e-06d6-46d5-b0b3-73ffc10bbfd6
SELinux is preventing /usr/sbin/collectd from name_bind access on the tcp_socket port 9103.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that collectd should be allowed name_bind access on the port 9103 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'collectd' --raw | audit2allow -M my-collectd
# semodule -X 300 -i my-collectd.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:object_r:collectd_port_t:s0
Target Objects                port 9103 [ tcp_socket ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          9103
Host                          fedora41.example.com
Source RPM Packages           collectd-5.12.0-44.fc41.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-41.34-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.34-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora41.example.com
Platform                      Linux fedora41.example.com 6.13.8-200.fc41.x86_64 #1
                              SMP PREEMPT_DYNAMIC Sun Mar 23 05:03:09 UTC 2025
                              x86_64
Alert Count                   2
First Seen                    2025-03-25 09:30:14 EDT
Last Seen                     2025-03-25 09:30:14 EDT
Local ID                      0f8a6a8e-06d6-46d5-b0b3-73ffc10bbfd6

Raw Audit Messages
type=AVC msg=audit(1742909414.112:693): avc:  denied  { name_bind } for  pid=1907 comm="collectd" src=9103 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:collectd_port_t:s0 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1742909414.112:693): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=55c8f9e52050 a2=10 a3=7fff70cfb694 items=0 ppid=1 pid=1907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,collectd_port_t,tcp_socket,name_bind

Reproducible: Always

Steps to Reproduce:
1. dnf -y install collectd collectd-write_prometheus
2. cat << __EOF__ > /etc/collectd.d/write_prometheus.conf
LoadPlugin write_prometheus
<Plugin "write_prometheus">
  Port "9103"
</Plugin>
__EOF__
3. systemctl start collectd.service
Actual Results:  
Mar 25 09:30:14 fedora41.example.com collectd[1907]: write_prometheus plugin: Opening a listening socket for [::]:9103 failed.

Expected Results:  
Mar 25 08:59:55 fedora41.example.com collectd[1326354]: write_prometheus plugin: Listening on [::]:9103.
Comment 1 Zdenek Pytela 2025-04-22 17:05:32 UTC 
Can you try this coprbuild if the fix is sufficient?

https://github.com/fedora-selinux/selinux-policy/pull/2653
checks -> rpmbuild -> rawhide
Comment 2 Matthew LeSieur 2025-04-23 15:52:15 UTC 
(In reply to Zdenek Pytela from comment #1)
> Can you try this coprbuild if the fix is sufficient?
> 
> https://github.com/fedora-selinux/selinux-policy/pull/2653
> checks -> rpmbuild -> rawhide

I tried the packages in the indicated copr repository, but it didn't resolve the problem.

# head -2 /etc/os-release
NAME="Fedora Linux"
VERSION="42 (Adams)"
# dnf -y install collectd collectd-write_prometheus
# cat << __EOF__ > /etc/collectd.d/write_prometheus.conf
LoadPlugin write_prometheus
<Plugin "write_prometheus">
  Port "9103"
</Plugin>
__EOF__
# dnf copr enable packit/fedora-selinux-selinux-policy-2653 fedora-42-x86_64
# dnf install -y selinux-policy-minimum-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-targeted-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-doc-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-devel-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-mls-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-sandbox-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch
# semanage port -a -t collectd_port_t -p tcp 9103
# setsebool collectd_tcp_network_connect on
# systemctl start collectd.service
# journalctl -u collectd.service

Apr 23 11:29:35 fedora42.example.com systemd[1]: Started collectd.service - Collectd statistics daemon.
Apr 23 11:29:35 fedora42.example.com collectd[1680]: write_prometheus plugin: Opening a listening socket for [::]:9103 failed.
Apr 23 11:29:35 fedora42.example.com collectd[1680]: Initialization of plugin `write_prometheus' failed with status -1. Plugin will be unloaded.
Apr 23 11:29:35 fedora42.example.com collectd[1680]: plugin_unregister_read: No such read function: write_prometheus
Apr 23 11:29:35 fedora42.example.com collectd[1680]: Error: one or more plugin init callbacks failed.
Apr 23 11:29:35 fedora42.example.com collectd[1680]: Initialization complete, entering read-loop.

# ausearch -m AVC -c collectd -ts recent
----
time->Wed Apr 23 11:42:46 2025
type=PROCTITLE msg=audit(1745422966.726:3006): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6578656375746F72002D2D646573657269616C697A65003534002D2D6C6F672D6C6576656C00696E666F002D2D6C6F672D746172676574006A6F75726E616C2D6F722D6B6D7367
type=SYSCALL msg=audit(1745422966.726:3006): arch=c000003e syscall=50 success=no exit=-13 a0=3 a1=10 a2=10 a3=7ffd6ae82d54 items=0 ppid=1 pid=2003 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/bin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1745422966.726:3006): avc:  denied  { listen } for  pid=2003 comm="collectd" lport=9103 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=tcp_socket permissive=0

-Matt
Comment 3 Zdenek Pytela 2025-04-28 13:17:14 UTC 
Thanks for checking, we are actually moving forward:
https://github.com/fedora-selinux/selinux-policy/pull/2666

For me, the service still fails, but there are no avc denials.
Comment 4 Fedora Update System 2025-05-02 08:11:32 UTC 
FEDORA-2025-a84432e770 (selinux-policy-41.39-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-a84432e770
Comment 5 Fedora Update System 2025-05-03 03:03:34 UTC 
FEDORA-2025-a84432e770 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-a84432e770`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-a84432e770

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2025-05-14 01:19:38 UTC 
FEDORA-2025-a84432e770 (selinux-policy-41.39-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.