1065698 – SELinux is preventing /usr/sbin/collectd from write access on the sock_file /var/lib/mysql/mysql.sock.

Bug 1065698 - SELinux is preventing /usr/sbin/collectd from write access on the sock_file /var/lib/mysql/mysql.sock.

Summary: SELinux is preventing /usr/sbin/collectd from write access on the sock_file /...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-02-15 23:29 UTC by Joel Uckelman
Modified:	2014-03-12 12:19 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.12.1-127.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-12 12:19:25 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joel Uckelman 2014-02-15 23:29:00 UTC

Description of problem:

[root@one uckelman]# sealert -l 20668dc3-e73d-4194-bdc2-642d1e6ab6c8
SELinux is preventing /usr/sbin/collectd from write access on the sock_file /var/lib/mysql/mysql.sock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that collectd should be allowed write access on the mysql.sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep collectd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:object_r:mysqld_var_run_t:s0
Target Objects                /var/lib/mysql/mysql.sock [ sock_file ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          <Unknown>
Host                          one
Source RPM Packages           collectd-5.4.1-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-122.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     one
Platform                      Linux one 3.12.10-300.fc20.x86_64 #1 SMP Thu Feb 6
                              22:11:48 UTC 2014 x86_64 x86_64
Alert Count                   10
First Seen                    2014-02-16 00:18:06 CET
Last Seen                     2014-02-16 00:24:57 CET
Local ID                      20668dc3-e73d-4194-bdc2-642d1e6ab6c8

Raw Audit Messages
type=AVC msg=audit(1392506697.155:37166): avc:  denied  { write } for  pid=28189 comm="collectd" name="mysql.sock" dev="dm-0" ino=54526298 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1392506697.155:37166): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7f1af644e840 a2=6e a3=7f1af644e4c0 items=0 ppid=1 pid=28189 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,mysqld_var_run_t,sock_file,write


Version-Release number of selected component (if applicable):

selinux-policy-3.12.1-122.fc20.noarch
collectd-5.4.1-1.fc20.x86_64
collectd-mysql-5.4.1-1.fc20.x86_64

How reproducible:

Always


Steps to Reproduce:
1. Enable mysql plugin for collectd.

Actual results:

SELinux denials when collectd tries to poll the local mysqld.


Expected results:

No denials.

Comment 1 Lukas Vrabec 2014-02-15 23:35:22 UTC

Hi, 

Could you reproduce this bug in Permissive mode, and paste here AVC logs?

Thank you.

Comment 2 Joel Uckelman 2014-02-16 11:52:16 UTC

(In reply to Lukas Vrabec from comment #1)
> Hi, 
> 
> Could you reproduce this bug in Permissive mode, and paste here AVC logs?
> 
> Thank you.

This is what I see in /var/log/audit.log after restarting collectd in permissive mode:

type=SERVICE_START msg=audit(1392551254.505:43362): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="collectd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1392551254.527:43363): avc:  denied  { write } for  pid=2195 comm="collectd" name="mysql.sock" dev="dm-0" ino=54526298 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1392551254.527:43363): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7ffd5285f840 a2=6e a3=7ffd5285f4c0 items=0 ppid=1 pid=2195 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)

Comment 3 Daniel Walsh 2014-02-17 20:24:04 UTC

I guess collectd needs to use a mysql database.

commit bc0fe809a294714ad4a8e6fec88ff9fb10515988 fixes this in git.

Comment 4 Joel Uckelman 2014-02-17 20:41:18 UTC

(In reply to Daniel Walsh from comment #3)
> I guess collectd needs to use a mysql database.

To clarify: collectd needs to connect to mysqld if you've turned on the plugin for monitoring mysqld. collectd doesn't store data in a mysql database.

> commit bc0fe809a294714ad4a8e6fec88ff9fb10515988 fixes this in git.

Thanks for the fix.

Comment 5 Fedora Update System 2014-02-18 22:10:20 UTC

selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20

Comment 6 Joel Uckelman 2014-02-19 09:13:11 UTC

The updated policy works for collectd---but completely breaks httpd and mariadb. It looks like it's denying them access to /tmp.

Comment 7 Fedora Update System 2014-02-22 00:42:36 UTC

Package selinux-policy-3.12.1-126.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2014-02-26 13:50:48 UTC

Package selinux-policy-3.12.1-127.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2014-03-12 12:19:25 UTC

selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.