Bug 960105

Summary:	SELinux is preventing /usr/sbin/collectd from read access on the directory /proc
Product:	[Fedora] Fedora	Reporter:	Joel Uckelman <uckelman>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	18	CC:	dominick.grift, dwalsh, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.11.1-95.fc18	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-05-21 08:38:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Joel Uckelman 2013-05-06 14:42:57 UTC

Description of problem:

SELinux is preventing /usr/sbin/collectd from read access on the directory /proc.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that collectd should be allowed read access on the proc directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep collectd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:object_r:proc_t:s0
Target Objects                /proc [ dir ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          <Unknown>
Host                          hydra.ellipsis.cx
Source RPM Packages           collectd-5.2.0-1.fc18.x86_64
Target RPM Packages           filesystem-3.1-2.fc18.x86_64
Policy RPM                    selinux-policy-3.11.1-92.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hydra.ellipsis.cx
Platform                      Linux hydra.ellipsis.cx 3.8.11-200.fc18.x86_64 #1
                              SMP Wed May 1 19:44:27 UTC 2013 x86_64 x86_64
Alert Count                   69
First Seen                    2013-05-06 14:29:46 CEST
Last Seen                     2013-05-06 16:41:09 CEST
Local ID                      e43ee7e9-cb4a-498b-81c0-882b78e6da69

Raw Audit Messages
type=AVC msg=audit(1367851269.361:7307): avc:  denied  { read } for  pid=31520 comm="collectd" name="/" dev="proc" ino=1 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=dir


type=SYSCALL msg=audit(1367851269.361:7307): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f6b2541c22a a2=90800 a3=0 items=0 ppid=1 pid=31520 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,proc_t,dir,read

audit2allow

#============= collectd_t ==============
allow collectd_t proc_t:dir read;

audit2allow -R
require {
        type collectd_t;
}

#============= collectd_t ==============
kernel_list_proc(collectd_t)



Version-Release number of selected component (if applicable):

selinux-policy-3.11.1-92.fc18.noarch


How reproducible:

Always


Steps to Reproduce:
1. Enable collectd processes plugin.

Actual results:

SELinux denial

Expected results:

No denial

Comment 1 Joel Uckelman 2013-05-06 14:55:22 UTC

Permitting the above isn't sufficient. Doing that results in zillions of denials like this:

SELinux is preventing /usr/sbin/collectd from search access on the directory 18185.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that collectd should be allowed search access on the 18185 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep collectd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                18185 [ dir ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          <Unknown>
Host                          hydra.ellipsis.cx
Source RPM Packages           collectd-5.2.0-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-92.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hydra.ellipsis.cx
Platform                      Linux hydra.ellipsis.cx 3.8.11-200.fc18.x86_64 #1
                              SMP Wed May 1 19:44:27 UTC 2013 x86_64 x86_64
Alert Count                   31
First Seen                    2013-05-06 16:44:05 CEST
Last Seen                     2013-05-06 16:44:36 CEST
Local ID                      9ac8ed0c-22ce-4422-af5d-452d2e9eb8ca

Raw Audit Messages
type=AVC msg=audit(1367851476.166:8029): avc:  denied  { search } for  pid=31596 comm="collectd" name="18185" dev="proc" ino=156909 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir


type=SYSCALL msg=audit(1367851476.166:8029): arch=x86_64 syscall=open success=no exit=EACCES a0=7f72bb7f9e90 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=31596 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,kernel_t,dir,search

audit2allow

#============= collectd_t ==============
allow collectd_t kernel_t:dir search;

audit2allow -R
require {
        type collectd_t;
}

#============= collectd_t ==============
kernel_read_state(collectd_t)

Comment 2 Daniel Walsh 2013-05-07 20:46:23 UTC

Do you know what collectd is looking for in /proc?

cfc17565b20b45db95b38cf4328f26ae14691e66 fixes this in git.

Comment 3 Joel Uckelman 2013-05-12 14:52:14 UTC

(In reply to comment #2)
> Do you know what collectd is looking for in /proc?

The process plugin is trying to read information from the directories corresponding to PIDs. From the collectd.conf(5) man page:

"The statistics collected for these selected processes are size of the resident segment size (RSS), user- and system-time used, number of processes and number of threads, io data (where available) and minor and major pagefaults."

Comment 4 Miroslav Grepl 2013-05-13 08:12:47 UTC

Added also to f18.

commit 8985923dba18f63a591897d59c2c03bfa4b057d5
Author: Dan Walsh <dwalsh>
Date:   Tue May 7 16:45:48 2013 -0400

    Allow collected_t to read all of /proc

Comment 5 Fedora Update System 2013-05-17 10:59:38 UTC

selinux-policy-3.11.1-95.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-95.fc18

Comment 6 Fedora Update System 2013-05-19 02:43:08 UTC

Package selinux-policy-3.11.1-95.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-95.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8591/selinux-policy-3.11.1-95.fc18
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2013-05-21 08:38:57 UTC

selinux-policy-3.11.1-95.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.