Bug 1271822 - selinux denies pmlogger access to it's own config file
selinux denies pmlogger access to it's own config file
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-14 15:47 EDT by Lukas Berk
Modified: 2016-10-03 03:39 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-19 02:03:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lukas Berk 2015-10-14 15:47:57 EDT
Description of problem:
Upon starting the pmlogger service, selinux blocks pmlogger from reading it's own config file, which causes pmlogger to error out.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-57.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1.yum install pcp
2.systemctl start pmcd pmlogger
3.

Actual results:
pmlogger doesn't start, AVC denial triggered, pmlogger log file shows unable
to read it's config file.

Expected results:
pmlogger starts

Additional info:
AVC denial output
SELinux is preventing /usr/bin/pmlogger from open access on the file /var/lib/pcp/config/pmlogger/config.default.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/lib/pcp/config/pmlogger/config.default default label should be pcp_var_lib_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/lib/pcp/config/pmlogger/config.default

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that pmlogger should be allowed open access on the config.default file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pmlogger /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /var/lib/pcp/config/pmlogger/config.default [ file
                              ]
Source                        pmlogger
Source Path                   /usr/bin/pmlogger
Port                          <Unknown>
Host                          rhel7
Source RPM Packages           pcp-3.10.6-2.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-57.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel7
Platform                      Linux rhel7 3.10.0-322.el7.x86_64 #1 SMP Mon Oct 5
                              21:41:10 EDT 2015 x86_64 x86_64
Alert Count                   30
First Seen                    2015-10-14 00:10:13 EDT
Last Seen                     2015-10-14 14:25:10 EDT
Local ID                      bcb45d5e-0c5b-4914-8564-102740c84c4b

Raw Audit Messages
type=AVC msg=audit(1444847110.570:14420): avc:  denied  { open } for  pid=31773 comm="pmlogger" path="/var/lib/pcp/config/pmlogger/config.default" dev="dm-0" ino=70955975 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1444847110.570:14420): arch=x86_64 syscall=open success=no exit=EACCES a0=7f0dfe754010 a1=0 a2=1b6 a3=24 items=0 ppid=27772 pid=31773 auid=992 uid=992 gid=990 euid=992 suid=992 fsuid=992 egid=990 sgid=990 fsgid=990 tty=(none)
Comment 2 Milos Malik 2015-10-15 04:22:07 EDT
The config file is mislabeled, correct label is:

# matchpathcon /var/lib/pcp/config/pmlogger/config.default 
/var/lib/pcp/config/pmlogger/config.default	system_u:object_r:pcp_var_lib_t:s0
#

Please run following command:

# restorecon -Rv /var/lib/pcp
Comment 3 Miroslav Grepl 2015-10-19 02:03:06 EDT
Lukas,
please try to fix labeling how Milos described above and re-open the bug if you are able to reproduce it. 

Thank you.

Note You need to log in before you can comment on or make changes to this bug.