Created attachment 1120521 [details] collectd in permissive mode Description of problem: When enabling collectd plugins like lvm, smart, etc, SELinux blocks some operations causing them to fail. Version-Release number of selected component (if applicable): collectd-5.5.0-3.el7.x86_64 collectd-lvm-5.5.0-3.el7.x86_64 collectd-ping-5.5.0-3.el7.x86_64 collectd-sensors-5.5.0-3.el7.x86_64 collectd-smart-5.5.0-3.el7.x86_64 collectd-virt-5.5.0-3.el7.x86_64 libselinux-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 libselinux-utils-2.2.2-6.el7.x86_64 selinux-policy-3.13.1-60.el7.noarch selinux-policy-targeted-3.13.1-60.el7.noarch How reproducible: Always Steps to Reproduce: 1. Install collectd and enable plugins like LVM or smart (no config needed) 2. Watch AVCs and error messages Actual results: collectd is blocked Expected results: collectd plugins collect the necessary information Additional info: Even after running audit2allow, there are certain operations that continue to be blocked. I have attached all the AVC while collectd was running in permissive mode, as well as the AVCs after audit2allow.
Created attachment 1120522 [details] remaining AVC after audit2allow
Additionally, trying to allow the sys_admin capability (on top of what audit2allow had suggested before) causes the following error: $ checkmodule -M -m -o collectd-plugins.mod collectd-plugins.te checkmodule: loading policy configuration from collectd-plugins.te collectd-plugins.te:34:ERROR 'permission sys_admin is not defined for class capability' at token ';' on line 34: allow collectd_t self:capability sys_admin; allow collectd_t udev_var_run_t:file { read getattr open }; checkmodule: error(s) encountered while parsing configuration
Hi, Please, could you to reproduce scenario with this local policy? $ cat local.te policy_module(local, 1.0) require { type collectd_t; class capability sys_rawio; } #============= collectd_t ============== allow collectd_t self:capability sys_rawio; dev_rw_lvm_control(collectd_t) lvm_manage_lock(collectd_t) lvm_read_config(collectd_t) lvm_read_metadata(collectd_t) lvm_stream_connect(collectd_t) storage_raw_read_fixed_disk(collectd_t) udev_read_db(collectd_t) $ make -f /usr/share/selinux/devel/Makefile local.pp # semodule -i local.pp
Lukas, I don't have the original infrastructure to test this. Sorry. However, using a VM to reproduce it, it seems your local policy has greatly decrease the warnings. Thank you. One solution we pursued at the time was running collectd_t in permissive mode. That seems okay given the number of low-level APIs the various plugins were using.
Hi, I have another instance of avc denials which I believe fits here. SELinux doesn't allow the unixsock plugin to be chowned. Why we do this: we would like to use collectd in oVirt, and the node management agent (vdsm) would like to talk to collectd using the unix domain socket. So we have this configuration: $ cat unixsock.conf LoadPlugin unixsock <Plugin unixsock> SocketGroup "kvm" SocketPerms "0770" </Plugin> Related to this group: $ grep kvm /etc/group kvm:x:36:qemu,sanlock Starting collectd, we get: Feb 16 09:13:15 hoji.rokugan.lan systemd[1]: Starting Collectd statistics daemon... Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "syslog" successfully loaded. Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "cpu" successfully loaded. Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "interface" successfully loaded. Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "load" successfully loaded. Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "memory" successfully loaded. Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: plugin_load: plugin "unixsock" successfully loaded. Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: Systemd detected, trying to signal readyness. Feb 16 09:13:15 hoji.rokugan.lan collectd[26420]: unixsock plugin: chown (/var/run/collectd-unixsock, -1, 36) failed: Operation not permitted This is what audit tools say about the matter: $ audit2why -b type=AVC msg=audit(1487232795.242:279): avc: denied { chown } for pid=26421 comm=756E6978736F636B206C697374656E capability=0 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capability Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. $ audit2allow -b #============= collectd_t ============== allow collectd_t self:capability chown;
This bugzilla was triaged as "WONTFIX" by the SELinux team, due to third-party software component which can be fixed by component maintainer. To take advantage of Mandatory Access Control mechanism provided by SELinux, you (component maintainer) can ship custom SELinux policy as a subpackage of the affected component. As a starting point you can use policy provided by selinux-policy package. For more details about the custom product policy, please follow the https://fedoraproject.org/wiki/SELinux/IndependentPolicy guideline.
Lukas, we've been over this. Collectd's policy is in selinux-policy-targeted, so should be fixed there. This is not a collectd issue, it's an SELinux issue.
I've had trouble with the exec and tail plugin as well, I'm using this to compensate: collectd_local.te policy_module(collectd_local, 1.0.3) require { type collectd_t; } corecmd_dontaudit_getattr_bin_files(collectd_t) gen_tunable(collectd_access_tmp, false) tunable_policy(`collectd_access_tmp',` files_rw_generic_tmp_dir(collectd_t) ') gen_tunable(collectd_read_logs, false) tunable_policy(`collectd_read_logs',` logging_read_all_logs(collectd_t) ') gen_tunable(collectd_allow_exec_plugin, false) tunable_policy(`collectd_allow_exec_plugin',` corecmd_exec_bin(collectd_t) corecmd_exec_shell(collectd_t) ') /tmp access and log-file access are needed by the tail plugin and the ability to exec scripts and binaries is needed by the exec plugin.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
Trying to enable the write_graphite plugin fails with type=AVC msg=audit(1507756688.781:4320): avc: denied { name_connect } for pid=19034 comm="writer#3" dest=2003 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:lmtp_port_t:s0 tclass=tcp_socket permissive=0 Workaround with the following policy: policy_module(selinux_bug_1304029, 1.0) require { type collectd_t; type lmtp_port_t; } allow collectd_t lmtp_port_t:tcp_socket name_connect; (/usr/share/selinux/devel/Makefile dependent on selinux-policy-devel btw)
Lukas, what are your plans for fixing this? This bug was reported over 20 months ago.
Lukas, what are your plans for fixing this? This bug was reported 695 days ago. Will it be ignored indefinitely? Should it be assigned to someone else? Is there anything I can do to help progress?
Hi, I allowed collectd_t domain to connect to lmtp port. Will be fixed in the next selinux-policy update.
selinux-policy-3.13.1-283.20.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.20.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.