Bug 1219900 - no selinux policies for rrdtool, httpd accessing gmetad port, 8652
Summary: no selinux policies for rrdtool, httpd accessing gmetad port, 8652
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-08 15:58 UTC by Dan Yocum
Modified: 2016-12-01 10:02 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1220663 1260536 (view as bug list)
Environment:
Last Closed: 2015-11-09 14:44:06 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 884370 None CLOSED SELinux is preventing /usr/bin/rrdtool from 'setattr' accesses on the directory /var/cache/fontconfig. 2018-11-09 21:24:31 UTC

Description Dan Yocum 2015-05-08 15:58:21 UTC
Description of problem:

Attempting to run ganglia-gmetad fails with selinux problems.

Issue #1:
	
type=AVC msg=audit(1380480812.081:1792): avc:  denied  { setattr } for  pid=5876 comm="rrdtool" name="fontconfig" dev=dm-1 ino=47054911 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir

solved by:

chcon -t httpd_sys_script_exec_t /usr/bin/rrdtool
chcon -t httpd_sys_content_t /var/lib/ganglia/rrds -R

and installing this this .te file as a work-around.

###
module rrdtool-setattr-fontconfig 1.0;

require {
        type httpd_t;
        type httpd_sys_script_t;
        type fonts_cache_t;
        class dir setattr;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t fonts_cache_t:dir setattr;

#============= httpd_t ==============
allow httpd_t fonts_cache_t:dir setattr;
###

Issue #2:

type=AVC msg=audit(1380480626.847:1764): avc:  denied  { name_connect } for  pid=2016 comm="httpd" dest=8652 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket


solved by installing this .te file:

###
module http-gangliagmetad-port 1.0;

require {
        type httpd_t;
        type port_t;
        class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect
allow httpd_t port_t:tcp_socket name_connect;
###

For more reference see this URL:

http://maciek.lasyk.info/sysop/2013/09/29/selinux-ganglia-multicast-apache-rrds/

Comment 2 Milos Malik 2015-05-12 06:27:21 UTC
# rpm -qa selinux-policy\*
selinux-policy-3.7.19-265.el6.noarch
selinux-policy-targeted-3.7.19-265.el6.noarch
selinux-policy-doc-3.7.19-265.el6.noarch
selinux-policy-mls-3.7.19-265.el6.noarch
selinux-policy-minimum-3.7.19-265.el6.noarch
#

The 8652 port is not labeled in default policy:

# seinfo --portcon=8652
#

Comment 3 Milos Malik 2015-05-12 06:30:19 UTC
Following AVC appeared in enforcing mode:
----
type=SOCKADDR msg=audit(05/12/2015 08:25:00.856:95) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 08:25:00.856:95) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x35 a1=0x7f48a4fb54e0 a2=0x10 a3=0x40 items=0 ppid=12067 pid=12288 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 08:25:00.856:95) : avc:  denied  { name_connect } for  pid=12288 comm=httpd dest=8652 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 
----

Following AVCs appeared in permissive mode:
----
type=PATH msg=audit(05/12/2015 08:27:35.360:122) : item=0 name=/var/lib/ganglia/dwoo/compiled/./ inode=77386 dev=fc:03 mode=dir,755 ouid=apache ogid=apache rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(05/12/2015 08:27:35.360:122) :  cwd=/usr/share/ganglia 
type=SYSCALL msg=audit(05/12/2015 08:27:35.360:122) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f48cd83ac30 a1=0777 a2=0x21 a3=0x7f48a4f51d28 items=1 ppid=12067 pid=12289 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 08:27:35.360:122) : avc:  denied  { setattr } for  pid=12289 comm=httpd name=compiled dev=vda3 ino=77386 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir 
----
type=SOCKADDR msg=audit(05/12/2015 08:27:35.274:121) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 08:27:35.274:121) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x35 a1=0x7f48a4fb4fe8 a2=0x10 a3=0x40 items=0 ppid=12067 pid=12289 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 08:27:35.274:121) : avc:  denied  { name_connect } for  pid=12289 comm=httpd dest=8652 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 
----

Comment 5 Milos Malik 2015-05-12 06:41:22 UTC
Here is a workaround for the { name_connect } AVC:

# semanage port -a -t http_port_t -p tcp 8652
# semanage port -l -C
SELinux Port Type              Proto    Port Number

http_port_t                    tcp      8652
#

Comment 7 Dan Yocum 2015-05-19 13:20:13 UTC
Ganglia?  Yes, EPEL. 

rrdtool?  No, RHEL.

Comment 13 Dan Yocum 2015-11-09 15:00:56 UTC
What's the cloned BZ number?

Comment 14 Milos Malik 2015-12-03 08:43:35 UTC
Here is the reason for the { setattr } AVC:

# restorecon -Rv /var
restorecon reset /var/lib/ganglia/conf/events.json context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/conf/event_color.json context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/classpath.cache.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_extra.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_host_metric_graphs.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_view.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/cluster_overview.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/footer.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
restorecon reset /var/lib/ganglia/dwoo/compiled/templates/default/header.tpl.d17.php context unconfined_u:object_r:httpd_var_lib_t:s0->unconfined_u:object_r:var_lib_t:s0
#


Note You need to log in before you can comment on or make changes to this bug.