Bug 1000166 - collectd-python: SELinux is preventing /usr/sbin/collectd from read access on the file /etc/passwd.
Summary: collectd-python: SELinux is preventing /usr/sbin/collectd from read access on...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-22 20:41 UTC by Piotr Popieluch
Modified: 2013-08-24 22:28 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-73.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-24 22:28:52 UTC
Type: Bug

Attachments (Terms of Use)
selinux module .te file (201 bytes, text/plain)
2013-08-22 20:41 UTC, Piotr Popieluch 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Piotr Popieluch 2013-08-22 20:41:03 UTC 
Created attachment 789361 [details]
selinux module .te file

Description of problem:
When using any python collectd plugin selinux blocks collectd from reading and opening /etc/passwd. 
It seems that python tries to do a getpwuid() which fails:

Aug 22 21:31:20 fedora19 systemd[1]: Starting Collectd...
Aug 22 21:31:20 fedora19 systemd[1]: Started Collectd.
Aug 22 21:31:20 fedora19 collectd[1470]: Traceback (most recent call last):
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 552, in <module>
Aug 22 21:31:20 fedora19 collectd[1470]: main()
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 534, in main
Aug 22 21:31:20 fedora19 collectd[1470]: known_paths = addusersitepackages(known_paths)
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 266, in addusersitepackages
Aug 22 21:31:20 fedora19 collectd[1470]: user_site = getusersitepackages()
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 241, in getusersitepackages
Aug 22 21:31:20 fedora19 collectd[1470]: user_base = getuserbase() # this will also set USER_BASE
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/site.py", line 231, in getuserbase
Aug 22 21:31:20 fedora19 collectd[1470]: USER_BASE = get_config_var('userbase')
Aug 22 21:31:20 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 516, in get_config_var
Aug 22 21:31:21 fedora19 collectd[1470]: return get_config_vars().get(name)
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 473, in get_config_vars
Aug 22 21:31:21 fedora19 collectd[1470]: _CONFIG_VARS['userbase'] = _getuserbase()
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 187, in _getuserbase
Aug 22 21:31:21 fedora19 collectd[1470]: return env_base if env_base else joinuser("~", ".local")
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/sysconfig.py", line 173, in joinuser
Aug 22 21:31:21 fedora19 collectd[1470]: return os.path.expanduser(os.path.join(*args))
Aug 22 21:31:21 fedora19 collectd[1470]: File "/usr/lib/python2.7/posixpath.py", line 269, in expanduser
Aug 22 21:31:21 fedora19 collectd[1470]: userhome = pwd.getpwuid(os.getuid()).pw_dir
Aug 22 21:31:21 fedora19 collectd[1470]: KeyError: 'getpwuid(): uid not found: 0'
Aug 22 21:31:21 fedora19 systemd[1]: collectd.service: main process exited, code=exited, status=1/FAILURE
Aug 22 21:31:21 fedora19 systemd[1]: Unit collectd.service entered failed state.
Aug 22 21:31:21 fedora19 setroubleshoot: SELinux is preventing /usr/sbin/collectd from read access on the file /etc/passwd. For complete SELinux messages. run sealert -l adc00699-ae23-4b45-b9f7-93c1761ae1a8


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-71.fc19
collectd-5.2.1-1.fc19.i686


How reproducible:
Run collectd with any python plugin.

Steps to Reproduce:
1. Install any python plugin in collectd. (i'm using this one https://collectd.org/wiki/index.php/Gearman but problem exists with any python collectd module)
2. start collectd

Actual results:
collectd crashes, /var/log/messages shows:
SELinux is preventing /usr/sbin/collectd from read access on the file /etc/passwd.
SELinux is preventing /usr/sbin/collectd from open access on the file /etc/passwd.



Expected results:
collectd to run properly.

Additional info:
audit2allow generates the following module which fixes the problem:

grep collectd /var/log/audit/audit.log | audit2allow -M collectd_python
cat collectd_python.te 

module collectd_python 1.0;

require {
	type collectd_t;
	type passwd_file_t;
	class file { read open };
}

#============= collectd_t ==============
allow collectd_t passwd_file_t:file { read open };
Comment 1 Lukas Vrabec 2013-08-23 08:10:19 UTC 
Hi Piotr, 

Could you paste here your AVC logs relating to collectd?
Comment 3 Fedora Update System 2013-08-23 15:12:53 UTC 
selinux-policy-3.12.1-73.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-73.fc19
Comment 4 Fedora Update System 2013-08-23 23:59:31 UTC 
Package selinux-policy-3.12.1-73.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-73.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15219/selinux-policy-3.12.1-73.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-08-24 22:28:52 UTC 
selinux-policy-3.12.1-73.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.