1065336 – SELinux is preventing /usr/sbin/collectd from using the net_admin capability

Bug 1065336 - SELinux is preventing /usr/sbin/collectd from using the net_admin capability

Summary: SELinux is preventing /usr/sbin/collectd from using the net_admin capability

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-02-14 11:46 UTC by Joel Uckelman
Modified:	2014-03-12 12:19 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.12.1-127.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-12 12:19:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joel Uckelman 2014-02-14 11:46:26 UTC

Description of problem:

[root@clio etc]# sealert -l 0024185d-a525-4fcc-9769-fec365191398
SELinux is preventing /usr/sbin/collectd from using the net_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that collectd should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep collectd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:system_r:collectd_t:s0
Target Objects                 [ capability ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          <Unknown>
Host                          clio
Source RPM Packages           collectd-5.4.1-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-122.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     clio
Platform                      Linux clio 3.12.10-300.fc20.x86_64 #1 SMP Thu Feb
                              6 22:11:48 UTC 2014 x86_64 x86_64
Alert Count                   117
First Seen                    2014-02-14 12:19:51 CET
Last Seen                     2014-02-14 12:36:19 CET
Local ID                      0024185d-a525-4fcc-9769-fec365191398

Raw Audit Messages
type=AVC msg=audit(1392377779.236:489): avc:  denied  { net_admin } for  pid=18767 comm="collectd" capability=12  scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capability


type=SYSCALL msg=audit(1392377779.236:489): arch=x86_64 syscall=read success=yes exit=ESRCH a0=4 a1=7fc3fea5d000 a2=400 a3=22 items=0 ppid=1 pid=18767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,collectd_t,capability,net_admin


Version-Release number of selected component (if applicable):

collectd-5.4.1-1.fc20.x86_64
selinux-policy-3.12.1-122.fc20.noarch


How reproducible:

Always


Steps to Reproduce:
1. Turn on the conntrack plugin in /etc/collectd.conf
2. systemctl start collectd
3.

Actual results:

SELinux denials

Expected results:

No SELinux denials

Comment 1 Lukas Vrabec 2014-02-14 12:04:06 UTC

commit 6f8cc21c4ce00e17ca02aaa7e5e881825cc4406c
Author: Lukas Vrabec <lvrabec>
Date:   Fri Feb 14 13:02:22 2014 +0100

    Add net_admin capability in collectd policy

Comment 2 Fedora Update System 2014-02-18 22:10:06 UTC

selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20

Comment 3 Joel Uckelman 2014-02-19 09:13:19 UTC

The updated policy works for collectd---but completely breaks httpd and mariadb. It looks like it's denying them access to /tmp.

Comment 4 Daniel Walsh 2014-02-19 15:24:06 UTC

The update would almost assuredly not effect them.  What AVC's are you seeing?

Comment 5 Joel Uckelman 2014-02-19 15:30:02 UTC

I doubt that the changes for collectd did this---but it looks like there are tons of other changes in 3.12.1-126.

Here's the start of what I saw:

type=AVC msg=audit(1392796636.545:159): avc:  denied  { search } for  pid=1511 comm="mysqld" name="tmp" dev="dm-0" ino=54526253 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=dir
type=AVC msg=audit(1392796638.290:161): avc:  denied  { search } for  pid=1442 comm="/usr/sbin/httpd" name="tmp" dev="tmpfs" ino=24525 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=dir
type=AVC msg=audit(1392798771.747:478): avc:  denied  { search } for  pid=2262 comm="httpd" name="tmp" dev="tmpfs" ino=28958 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=dir
type=AVC msg=audit(1392798771.747:479): avc:  denied  { search } for  pid=2262 comm="httpd" name="tmp" dev="dm-0" ino=54526296 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=dir
type=AVC msg=audit(1392798771.747:481): avc:  denied  { search } for  pid=2262 comm="httpd" name="tmp" dev="tmpfs" ino=28958 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=dir

Comment 6 Daniel Walsh 2014-02-21 20:46:58 UTC

This looks like the tmp dir is mislabled.  It should not be init_tmp_t?

ls -lZd /tmp

Comment 7 Fedora Update System 2014-02-22 00:42:25 UTC

Package selinux-policy-3.12.1-126.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20
then log in and leave karma (feedback).

Comment 8 Joel Uckelman 2014-02-22 09:02:56 UTC

(In reply to Daniel Walsh from comment #6)
> This looks like the tmp dir is mislabled.  It should not be init_tmp_t?
> 
> ls -lZd /tmp

drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp//

No idea how /tmp got mislabeled, if it is indeed mislabeled.

Comment 9 Joel Uckelman 2014-02-22 09:04:05 UTC

'restorecon -v /tmp' did not indicate that it was relabeling /tmp.

Comment 10 Fedora Update System 2014-02-26 13:50:33 UTC

Package selinux-policy-3.12.1-127.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-03-12 12:19:09 UTC

selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.