Bug 986804

Summary: selinux stops collectds ping plug-in from working
Product: [Fedora] Fedora Reporter: Daniel Rowe <bart>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 19CC: bart, dominick.grift, dwalsh, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-71.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-22 00:51:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Rowe 2013-07-22 07:02:03 UTC 
Description of problem:

With selinux enabled and in enforcing mode collectd is unable to ping using its ping plugin.

collectd[871]: ping_sendto: Permission denied

Not that there are NO denials logged by selinux in either the message log or the audit log.

Setting SELINUX=permissive and rebooting fixes the issue and collectd IS able to ping.

Version-Release number of selected component (if applicable):

Completely up to date Fedora 19 system.

How reproducible:

Every time.

Steps to Reproduce:
1. Install Collectd and the collectd ping plugin,
2. Set collectd up to ping one of more hosts.
3. Watch the message log for errors.
4. Set SELINUX=permissive and again test the ping plugin.
5. Now works.

Actual results:

Collectd not able to ping.

Expected results:

Should work.

Additional info:
Comment 1 Miroslav Grepl 2013-07-22 08:33:15 UTC 
commit a5cf75d089d49a3e579fb6ba88db31b0ba17a04a
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jul 22 10:32:53 2013 +0200

    Allow collectd to use ping plugin
Comment 2 Fedora Update System 2013-07-24 14:13:55 UTC 
selinux-policy-3.12.1-66.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-66.fc19
Comment 3 Fedora Update System 2013-07-25 00:35:58 UTC 
Package selinux-policy-3.12.1-66.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-66.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-13543/selinux-policy-3.12.1-66.fc19
then log in and leave karma (feedback).
Comment 4 Daniel Rowe 2013-07-26 05:05:48 UTC 
Confirm that it is fixed with the policy update.

Thanks.
Comment 5 Fedora Update System 2013-07-26 23:06:45 UTC 
selinux-policy-3.12.1-66.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Daniel Rowe 2013-07-29 01:08:40 UTC 
I initially thought the issue was fixed. But I was wrong. It still logging collectd[2837]: ping_sendto: Permission denied
Comment 7 Miroslav Grepl 2013-07-29 08:32:32 UTC 
What AVC msgs are you getting?

Re-test and run

# ausearch -m avc,user_avc -ts recent
Comment 8 Daniel Rowe 2013-08-13 05:32:03 UTC 
No AVC messages are displaying. It still logging collectd[5352]: ping_sendto: Permission denied
Comment 9 Daniel Walsh 2013-08-13 22:18:06 UTC 
Try after semodule -DB, which turns off dontaudit rules.

semodule -DB
Try out collectd
semodule -B

Gather the AVC's related to collectd.
Comment 10 Daniel Rowe 2013-08-15 02:37:37 UTC 
Pease see below the AVC message

time->Thu Aug 15 12:19:58 2013
type=SYSCALL msg=audit(1376531398.861:1625): arch=c000003e syscall=44 success=no exit=-13 a0=4 a1=7faefc6f59f0 a2=54 a3=0 items=0 ppid=1 pid=1526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1376531398.861:1625): avc:  denied  { write } for  pid=1526 comm="collectd" lport=1 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=rawip_socket

time->Thu Aug 15 12:19:59 2013
type=SYSCALL msg=audit(1376531399.861:1629): arch=c000003e syscall=44 success=no exit=-13 a0=4 a1=7faefc6f59f0 a2=54 a3=0 items=0 ppid=1 pid=1526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1376531399.861:1629): avc:  denied  { write } for  pid=1526 comm="collectd" lport=1 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=rawip_socket
Comment 11 Daniel Walsh 2013-08-15 18:54:39 UTC 
That would make sense.

88a045e26eda07fd047f5de84141be5d8707f65d fixes this in git.
Comment 12 Fedora Update System 2013-08-20 08:25:15 UTC 
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 13 Fedora Update System 2013-08-21 00:14:25 UTC 
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2013-08-22 00:51:54 UTC 
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.