RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1219900 - no selinux policies for rrdtool, httpd accessing gmetad port, 8652
Summary: no selinux policies for rrdtool, httpd accessing gmetad port, 8652
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-08 15:58 UTC by Dan Yocum
Modified: 2016-12-01 10:02 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1220663 1260536 (view as bug list)
Environment:
Last Closed: 2015-11-09 14:44:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 884370 0 unspecified CLOSED SELinux is preventing /usr/bin/rrdtool from 'setattr' accesses on the directory /var/cache/fontconfig. 2021-02-22 00:41:40 UTC

Description Dan Yocum 2015-05-08 15:58:21 UTC 
Description of problem:

Attempting to run ganglia-gmetad fails with selinux problems.

Issue #1:
	
type=AVC msg=audit(1380480812.081:1792): avc:  denied  { setattr } for  pid=5876 comm="rrdtool" name="fontconfig" dev=dm-1 ino=47054911 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir

solved by:

chcon -t httpd_sys_script_exec_t /usr/bin/rrdtool
chcon -t httpd_sys_content_t /var/lib/ganglia/rrds -R

and installing this this .te file as a work-around.

###
module rrdtool-setattr-fontconfig 1.0;

require {
        type httpd_t;
        type httpd_sys_script_t;
        type fonts_cache_t;
        class dir setattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t fonts_cache_t:dir setattr;

#============= httpd_t ==============
allow httpd_t fonts_cache_t:dir setattr;
###

Issue #2:

type=AVC msg=audit(1380480626.847:1764): avc:  denied  { name_connect } for  pid=2016 comm="httpd" dest=8652 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket


solved by installing this .te file:

###
module http-gangliagmetad-port 1.0;

require {
        type httpd_t;
        type port_t;
        class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect
allow httpd_t port_t:tcp_socket name_connect;
###

For more reference see this URL:

http://maciek.lasyk.info/sysop/2013/09/29/selinux-ganglia-multicast-apache-rrds/
Comment 2 Milos Malik 2015-05-12 06:27:21 UTC 
# rpm -qa selinux-policy\*
selinux-policy-3.7.19-265.el6.noarch
selinux-policy-targeted-3.7.19-265.el6.noarch
selinux-policy-doc-3.7.19-265.el6.noarch
selinux-policy-mls-3.7.19-265.el6.noarch
selinux-policy-minimum-3.7.19-265.el6.noarch
#

The 8652 port is not labeled in default policy:

# seinfo --portcon=8652
#
Comment 3 Milos Malik 2015-05-12 06:30:19 UTC 
Following AVC appeared in enforcing mode:
----
type=SOCKADDR msg=audit(05/12/2015 08:25:00.856:95) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 08:25:00.856:95) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x35 a1=0x7f48a4fb54e0 a2=0x10 a3=0x40 items=0 ppid=12067 pid=12288 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 08:25:00.856:95) : avc:  denied  { name_connect } for  pid=12288 comm=httpd dest=8652 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 
----

Following AVCs appeared in permissive mode:
----
type=PATH msg=audit(05/12/2015 08:27:35.360:122) : item=0 name=/var/lib/ganglia/dwoo/compiled/./ inode=77386 dev=fc:03 mode=dir,755 ouid=apache ogid=apache rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(05/12/2015 08:27:35.360:122) :  cwd=/usr/share/ganglia 
type=SYSCALL msg=audit(05/12/2015 08:27:35.360:122) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f48cd83ac30 a1=0777 a2=0x21 a3=0x7f48a4f51d28 items=1 ppid=12067 pid=12289 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 08:27:35.360:122) : avc:  denied  { setattr } for  pid=12289 comm=httpd name=compiled dev=vda3 ino=77386 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir 
----
type=SOCKADDR msg=audit(05/12/2015 08:27:35.274:121) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 08:27:35.274:121) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x35 a1=0x7f48a4fb4fe8 a2=0x10 a3=0x40 items=0 ppid=12067 pid=12289 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 08:27:35.274:121) : avc:  denied  { name_connect } for  pid=12289 comm=httpd dest=8652 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 
----
Comment 5 Milos Malik 2015-05-12 06:41:22 UTC 
Here is a workaround for the { name_connect } AVC:

# semanage port -a -t http_port_t -p tcp 8652
# semanage port -l -C
SELinux Port Type              Proto    Port Number

http_port_t                    tcp      8652
#
Comment 7 Dan Yocum 2015-05-19 13:20:13 UTC 
Ganglia?  Yes, EPEL. 

rrdtool?  No, RHEL.
Comment 13 Dan Yocum 2015-11-09 15:00:56 UTC 
What's the cloned BZ number?
Comment 14 Milos Malik 2015-12-03 08:43:35 UTC 
Here is the reason for the { setattr } AVC:

# restorecon -Rv /var
restorecon reset /var/lib/ganglia/conf/events.json context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/conf/event_color.json context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/classpath.cache.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_extra.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_host_metric_graphs.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_view.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_overview.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/footer.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/header.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
#
Note You need to log in before you can comment on or make changes to this bug.