Bug 1220663 - no selinux policies for rrdtool, httpd accessing gmetad port 8652
Summary: no selinux policies for rrdtool, httpd accessing gmetad port 8652
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-12 07:19 UTC by Milos Malik
Modified: 2017-10-12 12:21 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1219900
Environment:
Last Closed: 2017-10-12 12:19:30 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Milos Malik 2015-05-12 07:19:18 UTC 
Description of problem:
 * SELinux denials appear when accessing the ganglia web interface

NVRs:
ganglia-3.7.1-2.el7.x86_64
ganglia-gmetad-3.7.1-2.el7.x86_64
ganglia-gmond-3.7.1-2.el7.x86_64
ganglia-web-3.6.2-2.el7.x86_64
selinux-policy-3.13.1-24.el7.noarch
selinux-policy-devel-3.13.1-24.el7.noarch
selinux-policy-doc-3.13.1-24.el7.noarch
selinux-policy-minimum-3.13.1-24.el7.noarch
selinux-policy-mls-3.13.1-24.el7.noarch
selinux-policy-sandbox-3.13.1-24.el7.noarch
selinux-policy-targeted-3.13.1-24.el7.noarch

Reproducible:
 * always

Steps to Reproduce:
# yum -y install ganglia-gmond ganglia-gmetad ganglia-web
# service gmond start
# service gmetad start
# service httpd start
# links http://localhost/ganglia
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent

Actual results (enforcing mode):
----
type=SOCKADDR msg=audit(05/12/2015 09:03:55.016:182) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 09:03:55.016:182) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x23 a1=0x7f24da9c9c10 a2=0x10 a3=0x0 items=0 ppid=3523 pid=3529 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 09:03:55.016:182) : avc:  denied  { name_connect } for  pid=3529 comm=httpd dest=8652 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----

Actual results (permissive mode):
----
type=PATH msg=audit(05/12/2015 09:17:35.461:222) : item=0 name=/var/lib/ganglia/dwoo/compiled/./ inode=21826000 dev=fd:02 mode=dir,755 ouid=apache ogid=apache rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL 
type=CWD msg=audit(05/12/2015 09:17:35.461:222) :  cwd=/usr/share/ganglia 
type=SYSCALL msg=audit(05/12/2015 09:17:35.461:222) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f24daace6a0 a1=0777 a2=0x7f24d758baa0 a3=0x7f24d74b2fd0 items=1 ppid=3523 pid=3528 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 09:17:35.461:222) : avc:  denied  { setattr } for  pid=3528 comm=httpd name=compiled dev="vda2" ino=21826000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir 
----
type=SOCKADDR msg=audit(05/12/2015 09:17:34.638:221) : saddr=inet host:127.0.0.1 serv:8652 
type=SYSCALL msg=audit(05/12/2015 09:17:34.638:221) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x23 a1=0x7f24da9cfb98 a2=0x10 a3=0x0 items=0 ppid=3523 pid=3528 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/12/2015 09:17:34.638:221) : avc:  denied  { name_connect } for  pid=3528 comm=httpd dest=8652 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket 
----

Expected results:
 * ganglia web interface works
 * no AVCs
Comment 5 Lukas Vrabec 2017-10-12 12:19:30 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 6 Lukas Vrabec 2017-10-12 12:21:23 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Note You need to log in before you can comment on or make changes to this bug.