Bug 1000166 - collectd-python: SELinux is preventing /usr/sbin/collectd from read access on the file /etc/passwd.
collectd-python: SELinux is preventing /usr/sbin/collectd from read access on...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-22 16:41 EDT by Piotr Popieluch
Modified: 2013-08-24 18:28 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-73.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-24 18:28:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux module .te file (201 bytes, text/plain)
2013-08-22 16:41 EDT, Piotr Popieluch
no flags Details

  None (edit)
Description Piotr Popieluch 2013-08-22 16:41:03 EDT
Created attachment 789361 [details]
selinux module .te file

Description of problem:
When using any python collectd plugin selinux blocks collectd from reading and opening /etc/passwd. 
It seems that python tries to do a getpwuid() which fails:

Aug 22 21:31:20 fedora19 systemd[1]: Starting Collectd...
Aug 22 21:31:20 fedora19 systemd[1]: Started Collectd.
Aug 22 21:31:20 fedora19 collectd[1470]: Traceback (most recent call last):
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 552, in <module>
Aug 22 21:31:20 fedora19 collectd[1470]: main()
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 534, in main
Aug 22 21:31:20 fedora19 collectd[1470]: known_paths = addusersitepackages(known_paths)
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 266, in addusersitepackages
Aug 22 21:31:20 fedora19 collectd[1470]: user_site = getusersitepackages()
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 241, in getusersitepackages
Aug 22 21:31:20 fedora19 collectd[1470]: user_base = getuserbase() # this will also set USER_BASE
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 231, in getuserbase
Aug 22 21:31:20 fedora19 collectd[1470]: USER_BASE = get_config_var('userbase')
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 516, in get_config_var
Aug 22 21:31:21 fedora19 collectd[1470]: return get_config_vars().get(name)
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 473, in get_config_vars
Aug 22 21:31:21 fedora19 collectd[1470]: _CONFIG_VARS['userbase'] = _getuserbase()
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 187, in _getuserbase
Aug 22 21:31:21 fedora19 collectd[1470]: return env_base if env_base else joinuser("~", ".local")
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 173, in joinuser
Aug 22 21:31:21 fedora19 collectd[1470]: return os.path.expanduser(os.path.join(*args))
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/posixpath.py", line 269, in expanduser
Aug 22 21:31:21 fedora19 collectd[1470]: userhome = pwd.getpwuid(os.getuid()).pw_dir
Aug 22 21:31:21 fedora19 collectd[1470]: KeyError: 'getpwuid(): uid not found: 0'
Aug 22 21:31:21 fedora19 systemd[1]: collectd.service: main process exited, code=exited, status=1/FAILURE
Aug 22 21:31:21 fedora19 systemd[1]: Unit collectd.service entered failed state.
Aug 22 21:31:21 fedora19 setroubleshoot: SELinux is preventing /usr/sbin/collectd from read access on the file /etc/passwd. For complete SELinux messages. run sealert -l adc00699-ae23-4b45-b9f7-93c1761ae1a8


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-71.fc19
collectd-5.2.1-1.fc19.i686


How reproducible:
Run collectd with any python plugin.

Steps to Reproduce:
1. Install any python plugin in collectd. (i'm using this one https://collectd.org/wiki/index.php/Gearman but problem exists with any python collectd module)
2. start collectd

Actual results:
collectd crashes, /var/log/messages shows:
SELinux is preventing /usr/sbin/collectd from read access on the file /etc/passwd.
SELinux is preventing /usr/sbin/collectd from open access on the file /etc/passwd.



Expected results:
collectd to run properly.

Additional info:
audit2allow generates the following module which fixes the problem:

grep collectd /var/log/audit/audit.log | audit2allow -M collectd_python
cat collectd_python.te 

module collectd_python 1.0;

require {
	type collectd_t;
	type passwd_file_t;
	class file { read open };
}

#============= collectd_t ==============
allow collectd_t passwd_file_t:file { read open };
Comment 1 Lukas Vrabec 2013-08-23 04:10:19 EDT
Hi Piotr, 

Could you paste here your AVC logs relating to collectd?
Comment 3 Fedora Update System 2013-08-23 11:12:53 EDT
selinux-policy-3.12.1-73.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-73.fc19
Comment 4 Fedora Update System 2013-08-23 19:59:31 EDT
Package selinux-policy-3.12.1-73.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-73.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15219/selinux-policy-3.12.1-73.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-08-24 18:28:52 EDT
selinux-policy-3.12.1-73.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.