Red Hat Bugzilla – Bug 1270344
selinux denies pmdaapache access to port 80 for apache diagnostics
Last modified: 2016-11-03 22:23:03 EDT
Description of problem: selinux denies pmdaapache to gather apache statistics (the equivalent of running `curl http://localhost/server-status` ). Version-Release number of selected component (if applicable): selinux-policy-3.13.1-57 How reproducible: Always Steps to Reproduce: 1. enable extended apache statistics 2. systemctl restart pmcd httpd 3. cd /var/lib/pcp/pmdas/apache 4. sudo ./Install Actual results: pmda is installed with warnings (and no stats values). AVC denial is presented (output attached) Expected results: pmda should produce statistics from parsing http://localhost/server-status Additional info: SELinux is preventing /var/lib/pcp/pmdas/apache/pmdaapache from 'name_connect' accesses on the tcp_socket port 80. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that pmdaapache should be allowed name_connect access on the port 80 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pmdaapache /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:object_r:http_port_t:s0 Target Objects port 80 [ tcp_socket ] Source pmdaapache Source Path /var/lib/pcp/pmdas/apache/pmdaapache Port 80 Host (removed) Source RPM Packages pcp-pmda-apache-3.10.6-2.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-57.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.10.0-322.el7.x86_64 #1 SMP Mon Oct 5 21:41:10 EDT 2015 x86_64 x86_64 Alert Count 22 First Seen 2015-10-08 19:51:46 EDT Last Seen 2015-10-08 20:30:19 EDT Local ID bce5d92d-9ca3-4bd4-853f-5323723734c6 Raw Audit Messages type=AVC msg=audit(1444350619.254:697): avc: denied { name_connect } for pid=23389 comm="pmdaapache" dest=80 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1444350619.254:697): arch=x86_64 syscall=connect success=no exit=EINPROGRESS a0=5 a1=7ffd45f1a8a0 a2=1c a3=7ffd45f1a8dc items=0 ppid=20568 pid=23389 auid=4294967295 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=pmdaapache exe=/var/lib/pcp/pmdas/apache/pmdaapache subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) Hash: pmdaapache,pcp_pmcd_t,http_port_t,tcp_socket,name_connect
Could you re-run your scenario in enforcing mode and collect SELinux denials? # setenforce 1 # <your-scenario> # ausearch -m avc -m user_avc -m selinux_err -i -ts today
Created attachment 1082469 [details] requested selinux output
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html