Bug 1270344 - selinux denies pmdaapache access to port 80 for apache diagnostics
selinux denies pmdaapache access to port 80 for apache diagnostics
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Jan Zarsky
Depends On:
  Show dependency treegraph
Reported: 2015-10-09 13:39 EDT by Lukas Berk
Modified: 2016-11-03 22:23 EDT (History)
10 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-66.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-03 22:23:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
requested selinux output (199.90 KB, text/x-vhdl)
2015-10-13 10:32 EDT, Lukas Berk
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 09:36:25 EDT

  None (edit)
Description Lukas Berk 2015-10-09 13:39:06 EDT
Description of problem:
selinux denies pmdaapache to gather apache statistics (the equivalent of running `curl http://localhost/server-status` ).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. enable extended apache statistics 
2. systemctl restart pmcd httpd
3. cd /var/lib/pcp/pmdas/apache
4. sudo ./Install

Actual results:
pmda is installed with warnings (and no stats values).  AVC denial is presented (output attached)

Expected results:
pmda should produce statistics from parsing http://localhost/server-status

Additional info:
SELinux is preventing /var/lib/pcp/pmdas/apache/pmdaapache from 'name_connect' accesses on the tcp_socket port 80.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that pmdaapache should be allowed name_connect access on the port 80 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep pmdaapache /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:http_port_t:s0
Target Objects                port 80 [ tcp_socket ]
Source                        pmdaapache
Source Path                   /var/lib/pcp/pmdas/apache/pmdaapache
Port                          80
Host                          (removed)
Source RPM Packages           pcp-pmda-apache-3.10.6-2.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-57.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.0-322.el7.x86_64 #1 SMP Mon
                              Oct 5 21:41:10 EDT 2015 x86_64 x86_64
Alert Count                   22
First Seen                    2015-10-08 19:51:46 EDT
Last Seen                     2015-10-08 20:30:19 EDT
Local ID                      bce5d92d-9ca3-4bd4-853f-5323723734c6

Raw Audit Messages
type=AVC msg=audit(1444350619.254:697): avc:  denied  { name_connect } for  pid=23389 comm="pmdaapache" dest=80 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1444350619.254:697): arch=x86_64 syscall=connect success=no exit=EINPROGRESS a0=5 a1=7ffd45f1a8a0 a2=1c a3=7ffd45f1a8dc items=0 ppid=20568 pid=23389 auid=4294967295 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=pmdaapache exe=/var/lib/pcp/pmdas/apache/pmdaapache subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)

Hash: pmdaapache,pcp_pmcd_t,http_port_t,tcp_socket,name_connect
Comment 2 Milos Malik 2015-10-11 16:41:13 EDT
Could you re-run your scenario in enforcing mode and collect SELinux denials?

# setenforce 1
# <your-scenario>
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 3 Lukas Berk 2015-10-13 10:32 EDT
Created attachment 1082469 [details]
requested selinux output
Comment 4 Mike McCune 2016-03-28 18:59:28 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 8 errata-xmlrpc 2016-11-03 22:23:03 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.