Hide Forgot
Description of problem: * SELinux denials appear when accessing the ganglia web interface NVRs: ganglia-3.7.1-2.el7.x86_64 ganglia-gmetad-3.7.1-2.el7.x86_64 ganglia-gmond-3.7.1-2.el7.x86_64 ganglia-web-3.6.2-2.el7.x86_64 selinux-policy-3.13.1-24.el7.noarch selinux-policy-devel-3.13.1-24.el7.noarch selinux-policy-doc-3.13.1-24.el7.noarch selinux-policy-minimum-3.13.1-24.el7.noarch selinux-policy-mls-3.13.1-24.el7.noarch selinux-policy-sandbox-3.13.1-24.el7.noarch selinux-policy-targeted-3.13.1-24.el7.noarch Reproducible: * always Steps to Reproduce: # yum -y install ganglia-gmond ganglia-gmetad ganglia-web # service gmond start # service gmetad start # service httpd start # links http://localhost/ganglia # ausearch -m avc -m user_avc -m selinux_err -i -ts recent Actual results (enforcing mode): ---- type=SOCKADDR msg=audit(05/12/2015 09:03:55.016:182) : saddr=inet host:127.0.0.1 serv:8652 type=SYSCALL msg=audit(05/12/2015 09:03:55.016:182) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x23 a1=0x7f24da9c9c10 a2=0x10 a3=0x0 items=0 ppid=3523 pid=3529 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(05/12/2015 09:03:55.016:182) : avc: denied { name_connect } for pid=3529 comm=httpd dest=8652 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ---- Actual results (permissive mode): ---- type=PATH msg=audit(05/12/2015 09:17:35.461:222) : item=0 name=/var/lib/ganglia/dwoo/compiled/./ inode=21826000 dev=fd:02 mode=dir,755 ouid=apache ogid=apache rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL type=CWD msg=audit(05/12/2015 09:17:35.461:222) : cwd=/usr/share/ganglia type=SYSCALL msg=audit(05/12/2015 09:17:35.461:222) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7f24daace6a0 a1=0777 a2=0x7f24d758baa0 a3=0x7f24d74b2fd0 items=1 ppid=3523 pid=3528 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(05/12/2015 09:17:35.461:222) : avc: denied { setattr } for pid=3528 comm=httpd name=compiled dev="vda2" ino=21826000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir ---- type=SOCKADDR msg=audit(05/12/2015 09:17:34.638:221) : saddr=inet host:127.0.0.1 serv:8652 type=SYSCALL msg=audit(05/12/2015 09:17:34.638:221) : arch=x86_64 syscall=connect success=no exit=-115(Operation now in progress) a0=0x23 a1=0x7f24da9cfb98 a2=0x10 a3=0x0 items=0 ppid=3523 pid=3528 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(05/12/2015 09:17:34.638:221) : avc: denied { name_connect } for pid=3528 comm=httpd dest=8652 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket ---- Expected results: * ganglia web interface works * no AVCs
We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug.