Bug 1262902 - SELinux is preventing PCP's nginx PMDA to collect statistics.
Summary: SELinux is preventing PCP's nginx PMDA to collect statistics.
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-14 15:06 UTC by Tadej Janež
Modified: 2016-07-19 20:37 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-07-19 20:37:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Tadej Janež 2015-09-14 15:06:25 UTC 
Description of problem:
Current SELinux policy is preventing the Performance Metrics Domain Agent (PMDA) for nginx (part of the Performance Co-Pilot (PCP) suite) access to nginx's statistics available at http://localhost/nginx_status.


Version-Release number of selected components:
selinux-policy-targeted-3.13.1-128.12.fc22.noarch
pcp-pmda-nginx-3.10.6-1.fc22.x86_64
nginx-1.8.0-10.fc22.x86_64


How reproducible:
Always.

Steps to Reproduce:
1. sudo dnf install nginx
2. create a file in /etc/nginx/default.d/nginx_status.conf with the following contents:
location /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    allow ::1;
    deny all;
}
3. sudo systemctl restart nginx.service
4. sudo dnf install "perl(LWP::UserAgent)" pcp-collector
5. sudo touch /var/lib/pcp/pmdas/nginx/.NeedInstall
6. sudo systemctl restart pmcd.service
7. pmval nginx.requests_count

Actual results:
[root@collector vagrant]# pmval nginx.requests_count 

metric:    nginx.requests_count
host:      collector
semantics: cumulative counter (converting to rate)
units:     count (converting to count / sec)
samples:   all

pmval: pmFetch: Unknown or illegal metric identifier

pmval: pmFetch: Unknown or illegal metric identifier

pmval: pmFetch: Unknown or illegal metric identifier

pmval: pmFetch: Unknown or illegal metric identifier

The relevant line from /var/log/audit/audit.log:
type=AVC msg=audit(1442242235.474:225): avc:  denied  { name_connect } for  pid=532 comm="perl" dest=80 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0


Expected results:
[root@collector vagrant]# pmval nginx.requests_count 

metric:    nginx.requests_count
host:      collector
semantics: cumulative counter (converting to rate)
units:     count (converting to count / sec)
samples:   all
               0.9982
               0.9982
               0.9981
Comment 1 Fedora End Of Life 2016-07-19 20:37:33 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.