RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1211520 - pmcd daemon (from pcp suite) requires access to mariadb's socket
Summary: pmcd daemon (from pcp suite) requires access to mariadb's socket
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On:
Blocks: 1233241
TreeView+ depends on / blocked
 
Reported: 2015-04-14 08:38 UTC by Miloš Prchlík
Modified: 2015-11-19 10:31 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-31.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1233241 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:31:30 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 0 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Miloš Prchlík 2015-04-14 08:38:27 UTC 
Description of problem:

When user wants to monitor MariaDB (or MySQL) state using PCP, pmdamysql agent is available for this task. It connects to running database server instance and queries several runtime statistics. Unfortunately pmcd daemon that actually runs pmdamysql is now allowed to access databaze server's socket:

type=AVC msg=audit(1428587242.784:1279): avc:  denied  { write } for  pid=57064 comm="perl" name="mysql.sock" dev="dm-0" ino=101577429 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:mysqld_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1428587242.784:1279): avc:  denied  { connectto } for  pid=57064 comm="perl" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1428587242.784:1279): arch=80000016 syscall=102 success=yes exit=0 a0=3 a1=3ffffee59a8 a2=0 a3=3fffcf3c7f8 items=0 ppid=55926 pid=57064 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system
_u:system_r:pcp_pmcd_t:s0 key=(null)

I used this policy as a workaround (created using audit2allow -m pmdamysql-mysql-socket):

module pmdamysql-mysql-socket 1.0;

require {
        type mysqld_db_t;
        type mysqld_t;
        type mysqld_var_run_t;
        type pcp_pmcd_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class dir search;
}

#============= pcp_pmcd_t ==============
allow pcp_pmcd_t mysqld_db_t:dir search;

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow pcp_pmcd_t mysqld_t:unix_stream_socket connectto;
allow pcp_pmcd_t mysqld_var_run_t:sock_file write;


Version-Release number of selected component (if applicable):

mariadb-server-5.5.41-2.el7_0
selinux-policy-3.13.1-23.el7
pcp-3.9.10-8.el7


How reproducible:


Steps to Reproduce:
1. systemctl start pmcd.service
2. systemctl start mariadb.service
2. cd /var/lib/pcp/pmdas/mysql
3. ./Install (press 'b' for "both collector and monitor")
4. pminfo -f mysql.status.com_select


Actual results:

pminfo command should yield this output:

mysql.status.com_select
Error: Metric not supported by this version of monitored application

"Unsupported" is caused by pmdamysql not being able to connect to database server. Also, /var/log/pcp/pmcd/mysql.log will report failed connections to a MySQL server:

"DBI connect('mysql','dbmonitor',...) failed: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) at /var/lib/pcp/pmdas/mysql/pmdamysql.pl line 61."

When ran in selinux permissive mode, above mentioned AVCs will pop out.


Expected results:

pminfo should present something like this (# of executed SELECT commands):

mysql.status.com_select
    value 2

Also no errors in /var/log/pcp/pmcd/mysql.log. no AVCs in persmissive mode.


Additional info:
Comment 4 errata-xmlrpc 2015-11-19 10:31:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html
Note You need to log in before you can comment on or make changes to this bug.