Bug 787643

Summary:	SELinux is preventing /usr/sbin/collectd from 'net_admin' accesses on the None .
Product:	[Fedora] Fedora	Reporter:	cje
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	16	CC:	apevec, apevec, dominick.grift, dwalsh, eparis, mail, mgrepl, tomek, virt-maint
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:a5dc1e52908428444fe2e756e49c4b3a1c8429249498cef451abd50e6d9b1e6c
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-06-28 03:25:15 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description cje 2012-02-06 11:44:19 UTC

libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.3-2.fc16.x86_64
reason:         SELinux is preventing /usr/sbin/collectd from 'net_admin' accesses on the None .
time:           Mon 06 Feb 2012 11:43:50 GMT

description:
:SELinux is preventing /usr/sbin/collectd from 'net_admin' accesses on the None .
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that collectd should be allowed net_admin access on the  <Unknown> by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep collectd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:collectd_t:s0
:Target Context                system_u:system_r:collectd_t:s0
:Target Objects                 [ None ]
:Source                        collectd
:Source Path                   /usr/sbin/collectd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           collectd-4.10.4-1.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3
:                              20:08:08 UTC 2012 x86_64 x86_64
:Alert Count                   5
:First Seen                    Mon 06 Feb 2012 19:42:22 GMT
:Last Seen                     Mon 06 Feb 2012 19:42:52 GMT
:Local ID                      686dd0ad-3ece-4c58-b263-82fc9504f47e
:
:Raw Audit Messages
:type=AVC msg=audit(1328557372.441:65): avc:  denied  { net_admin } for  pid=1049 comm="collectd" capability=12  scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capabilitynode=(removed) type=SYSCALL msg=audit(1328557372.441:65): arch=c000003e syscall=0 success=yes exit=3 a0=5 a1=7f665c8e3000 a2=400 a3=22 items=0 ppid=1 pid=1049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
:
:
:Hash: collectd,collectd_t,collectd_t,None,net_admin
:
:audit2allow
:
:
:audit2allow -R
:
:

Comment 1 Miroslav Grepl 2012-02-06 13:05:17 UTC

Does collectd need this?

CAP_NET_ADMIN
              Perform various  network-related  operations
              (e.g.,  setting  privileged  socket options,
              enabling multicasting, interface  configura‐
              tion, modifying routing tables)

Comment 2 cje 2012-05-09 14:48:36 UTC

looks like it's the conntrack plugin which is causing this problem.

that plugin is disabled by default so you can probably set the severity as 'low' for this one.

Comment 3 Daniel Walsh 2012-05-09 18:26:20 UTC

Might want to add a boolean to allow collectd to manipulate the systems networking.

Comment 4 Alan Pevec 2012-05-10 07:23:32 UTC

(In reply to comment #2)
> looks like it's the conntrack plugin which is causing this problem.

Interesting, conntrack.c only reads /proc/sys/net/netfilter/nf_conntrack_count why would that require net_admin ??

Comment 5 Eric Paris 2012-05-14 15:51:15 UTC

I believe it can be safely dontaudit'd although really should be fixed in the kernel.  I believe, although haven't tested, this comes from net/sysctl_net.c::net_ctl_permissions() which checks CAP_NET_ADMIN and will allow one to overwrite the DAC permissions.

I believe the fix is to use has_capability_noaudit() in the kernel instead of capable().  Thus we don't get such denials.  I'll try to send a patch upstream.

Comment 6 Daniel Walsh 2012-05-16 03:07:41 UTC

Lets add the dontaudit to F16 and hope the kernel is fixed in F17/F18

Comment 7 Miroslav Grepl 2012-05-16 14:11:40 UTC

Fixed in selinux-policy-3.10.0-89.fc16

Comment 8 Fedora Update System 2012-06-15 10:28:52 UTC

selinux-policy-3.10.0-89.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-89.fc16

Comment 9 Fedora Update System 2012-06-15 23:51:08 UTC

Package selinux-policy-3.10.0-89.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-89.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9507/selinux-policy-3.10.0-89.fc16
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2012-06-28 03:25:15 UTC

selinux-policy-3.10.0-89.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.