Bug 1262902 - SELinux is preventing PCP's nginx PMDA to collect statistics.
SELinux is preventing PCP's nginx PMDA to collect statistics.
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-14 11:06 EDT by Tadej Janež
Modified: 2016-07-19 16:37 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 16:37:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tadej Janež 2015-09-14 11:06:25 EDT
Description of problem:
Current SELinux policy is preventing the Performance Metrics Domain Agent (PMDA) for nginx (part of the Performance Co-Pilot (PCP) suite) access to nginx's statistics available at http://localhost/nginx_status.


Version-Release number of selected components:
selinux-policy-targeted-3.13.1-128.12.fc22.noarch
pcp-pmda-nginx-3.10.6-1.fc22.x86_64
nginx-1.8.0-10.fc22.x86_64


How reproducible:
Always.

Steps to Reproduce:
1. sudo dnf install nginx
2. create a file in /etc/nginx/default.d/nginx_status.conf with the following contents:
location /nginx_status {
    stub_status on;
    access_log off;
    allow 127.0.0.1;
    allow ::1;
    deny all;
}
3. sudo systemctl restart nginx.service
4. sudo dnf install "perl(LWP::UserAgent)" pcp-collector
5. sudo touch /var/lib/pcp/pmdas/nginx/.NeedInstall
6. sudo systemctl restart pmcd.service
7. pmval nginx.requests_count

Actual results:
[root@collector vagrant]# pmval nginx.requests_count 

metric:    nginx.requests_count
host:      collector
semantics: cumulative counter (converting to rate)
units:     count (converting to count / sec)
samples:   all

pmval: pmFetch: Unknown or illegal metric identifier

pmval: pmFetch: Unknown or illegal metric identifier

pmval: pmFetch: Unknown or illegal metric identifier

pmval: pmFetch: Unknown or illegal metric identifier

The relevant line from /var/log/audit/audit.log:
type=AVC msg=audit(1442242235.474:225): avc:  denied  { name_connect } for  pid=532 comm="perl" dest=80 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0


Expected results:
[root@collector vagrant]# pmval nginx.requests_count 

metric:    nginx.requests_count
host:      collector
semantics: cumulative counter (converting to rate)
units:     count (converting to count / sec)
samples:   all
               0.9982
               0.9982
               0.9981
Comment 1 Fedora End Of Life 2016-07-19 16:37:33 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.