Bug 1304029 - collectd plugins blocked by SELinux
collectd plugins blocked by SELinux
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
27
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks: 1393066
  Show dependency treegraph
 
Reported: 2016-02-02 12:23 EST by Giovanni Tirloni
Modified: 2017-10-11 18:55 EDT (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
collectd in permissive mode (6.00 KB, text/plain)
2016-02-02 12:23 EST, Giovanni Tirloni
no flags Details
remaining AVC after audit2allow (1.09 KB, text/plain)
2016-02-02 12:23 EST, Giovanni Tirloni
no flags Details

  None (edit)
Description Giovanni Tirloni 2016-02-02 12:23:08 EST
Created attachment 1120521 [details]
collectd in permissive mode

Description of problem: 

When enabling collectd plugins like lvm, smart, etc, SELinux blocks some operations causing them to fail.

Version-Release number of selected component (if applicable):

collectd-5.5.0-3.el7.x86_64
collectd-lvm-5.5.0-3.el7.x86_64
collectd-ping-5.5.0-3.el7.x86_64
collectd-sensors-5.5.0-3.el7.x86_64
collectd-smart-5.5.0-3.el7.x86_64
collectd-virt-5.5.0-3.el7.x86_64
libselinux-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch

How reproducible: Always


Steps to Reproduce:
1. Install collectd and enable plugins like LVM or smart (no config needed)
2. Watch AVCs and error messages

Actual results: collectd is blocked

Expected results: collectd plugins collect the necessary information

Additional info:
Even after running audit2allow, there are certain operations that continue to be blocked. I have attached all the AVC while collectd was running in permissive mode, as well as the AVCs after audit2allow.
Comment 1 Giovanni Tirloni 2016-02-02 12:23 EST
Created attachment 1120522 [details]
remaining AVC after audit2allow
Comment 3 Giovanni Tirloni 2016-02-02 12:37:26 EST
Additionally, trying to allow the sys_admin capability (on top of what audit2allow had suggested before) causes the following error:

$ checkmodule -M -m -o collectd-plugins.mod collectd-plugins.te 
checkmodule:  loading policy configuration from collectd-plugins.te
collectd-plugins.te:34:ERROR 'permission sys_admin is not defined for class capability' at token ';' on line 34:
allow collectd_t self:capability sys_admin;
allow collectd_t udev_var_run_t:file { read getattr open };
checkmodule:  error(s) encountered while parsing configuration
Comment 5 Lukas Vrabec 2016-06-21 11:28:17 EDT
Hi, 

Please, could you to reproduce scenario with this local policy? 

$ cat local.te 

policy_module(local, 1.0)

require {
	type collectd_t;
	class capability sys_rawio;
}

#============= collectd_t ==============
allow collectd_t self:capability sys_rawio;
dev_rw_lvm_control(collectd_t)
lvm_manage_lock(collectd_t)
lvm_read_config(collectd_t)
lvm_read_metadata(collectd_t)
lvm_stream_connect(collectd_t)
storage_raw_read_fixed_disk(collectd_t)
udev_read_db(collectd_t)

$ make -f /usr/share/selinux/devel/Makefile local.pp
# semodule -i local.pp
Comment 8 Giovanni Tirloni 2016-11-14 08:06:14 EST
Lukas, I don't have the original infrastructure to test this. Sorry.

However, using a VM to reproduce it, it seems your local policy has greatly decrease the warnings. Thank you.

One solution we pursued at the time was running collectd_t in permissive mode. That seems okay given the number of low-level APIs the various plugins were using.
Comment 9 Francesco Romani 2017-02-16 03:19:18 EST
Hi, I have another instance of avc denials which I believe fits here.

SELinux doesn't allow the unixsock plugin to be chowned.
Why we do this: we would like to use collectd in oVirt, and the node management agent (vdsm) would like to talk to collectd using the unix domain socket. So we have this configuration:

$ cat unixsock.conf 
LoadPlugin unixsock
<Plugin unixsock>
    SocketGroup "kvm"
    SocketPerms "0770"
</Plugin>

Related to this group:
$ grep kvm /etc/group
kvm:x:36:qemu,sanlock

Starting collectd, we get: 
Feb 16 09:13:15 hoji.rokugan.lan systemd[1]: Starting Collectd statistics daemon...
Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "syslog" successfully loaded.
Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "cpu" successfully loaded.
Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "interface" successfully loaded.
Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "load" successfully loaded.
Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "memory" successfully loaded.
Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "unixsock" successfully loaded.
Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: Systemd detected, trying to signal readyness.
Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: unixsock plugin: chown (/var/run/collectd-unixsock, -1, 36) failed: Operation not permitted

This is what audit tools say about the matter:

$ audit2why -b
type=AVC msg=audit(1487232795.242:279): avc:  denied  { chown } for  pid=26421 comm=756E6978736F636B206C697374656E capability=0  scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capability
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


$ audit2allow -b


#============= collectd_t ==============
allow collectd_t self:capability chown;
Comment 10 Lukas Vrabec 2017-03-27 06:28:02 EDT
This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of  the affected component. As a starting point you can use policy provided by selinux-policy package. For more details  about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.
Comment 11 Ruben Kerkhof 2017-05-05 08:28:07 EDT
Lukas, we've been over this. Collectd's policy is in selinux-policy-targeted, so should be fixed there.

This is not a collectd issue, it's an SELinux issue.
Comment 12 Robert Führicht 2017-07-25 04:47:06 EDT
I've had trouble with the exec and tail plugin as well, I'm using this to compensate:

collectd_local.te

policy_module(collectd_local, 1.0.3)

require {
	type collectd_t;
}

corecmd_dontaudit_getattr_bin_files(collectd_t)

gen_tunable(collectd_access_tmp, false)
tunable_policy(`collectd_access_tmp',`
	files_rw_generic_tmp_dir(collectd_t)
')

gen_tunable(collectd_read_logs, false)
tunable_policy(`collectd_read_logs',`
	logging_read_all_logs(collectd_t)
')

gen_tunable(collectd_allow_exec_plugin, false)
tunable_policy(`collectd_allow_exec_plugin',`
	corecmd_exec_bin(collectd_t)
	corecmd_exec_shell(collectd_t)
')

/tmp access and log-file access are needed by the tail plugin and the ability to exec scripts and binaries is needed by the exec plugin.
Comment 13 Jan Kurik 2017-08-15 02:48:25 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 14 Håkon Løvdal 2017-10-11 18:54:15 EDT
Trying to enable the write_graphite plugin fails with

type=AVC msg=audit(1507756688.781:4320): avc:  denied  { name_connect } for  pid=19034 comm="writer#3" dest=2003 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket permissive=0


Workaround with the following policy:

policy_module(selinux_bug_1304029, 1.0)

require {
        type collectd_t;
        type lmtp_port_t;
}

allow collectd_t lmtp_port_t:tcp_socket name_connect;


(/usr/share/selinux/devel/Makefile dependent on selinux-policy-devel btw)
Comment 15 Håkon Løvdal 2017-10-11 18:55:42 EDT
Lukas, what are your plans for fixing this? This bug was reported over 20 months ago.

Note You need to log in before you can comment on or make changes to this bug.