Bug 1309883 - selinux preventing pcp dmcache metrics collection (access to dmsetup denial) [NEEDINFO]
Summary: selinux preventing pcp dmcache metrics collection (access to dmsetup denial)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: x86_64
OS: Linux
high
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Jan Zarsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-18 21:44 UTC by Paul Cuzner
Modified: 2016-11-04 02:43 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-101.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
RHEL 7.2 selinux-policy-3.13.1-60.el7_2.3.noarch device-mapper-1.02.107-5.el7_2.1.x86_64 pcp-3.10.6-2.el7.x86_64 pcp-pmda-dm-3.10.6-2.el7.x86_64
Last Closed: 2016-11-04 02:43:26 UTC
Target Upstream Version:
mprchlik: needinfo? (lmiksik)

Attachments (Terms of Use)
local .te file that allows dmcache reporting to work (600 bytes, text/plain)
2016-02-18 21:44 UTC, Paul Cuzner 		no flags Details
audit log containing the denial messages against dmsetup (285.00 KB, application/x-gzip)
2016-02-19 20:46 UTC, Paul Cuzner 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Paul Cuzner 2016-02-18 21:44:04 UTC 
Created attachment 1128338 [details]
local .te file that allows dmcache reporting to work

Description of problem:
I am using SSD's with lvmcache so need to use pcp's pmda to gather and report on cache effectiveness. Out of the box the dmcache report (pcp -h localhost dmcache) just returns 'no values available'. Checking the audit.log shows that selinux is blocking the pcp collector's access to the dmsetup tool - hence the 'no values...' message.

Version-Release number of selected component (if applicable):
see 'environment' section for list of relevant rpm versions

How reproducible:
I have 3 systems - all 3 were blocked in the same manner

Steps to Reproduce:
1. Configure lvmcache on a rhel7.2 environment
2. install pcp, with the dm pmda (shown above)
3. attempt to use the pcp -h localhost dmcache command

Actual results:
collector is unable to gather and report any metrics

@ Thu Feb 18 16:10:39 2016 (host gprfc085.sbu.lab.eng.bos.redhat.com)
---device--- ---%used--- ---------reads--------- --------writes---------
             meta  cache     hit    miss   ratio     hit    miss   ratio
No values available
No values available


Expected results:
collector should be able to interface with dmsetup to get the cache utilisation information

After installing a local policy, this is what you should see
@ Thu Feb 18 16:12:17 2016 (host gprfc085.sbu.lab.eng.bos.redhat.com)
---device--- ---%used--- ---------reads--------- --------writes---------
             meta  cache     hit    miss   ratio     hit    miss   ratio
rhgs_vg1-thinpool_tdata  0.7%  9.4%       ?       ?      ?%       ?       ?      ?%
rhgs_vg1-thinpool_tdata  0.7%  9.4%    0.00    0.00      0%    0.00    0.00      0%
rhgs_vg1-thinpool_tdata  0.7%  9.4%    0.00    0.00      0%    0.00    0.00      0%
rhgs_vg1-thinpool_tdata  0.7%  9.4%    0.00    0.00      0%    1.96    0.00   50.0%


Additional info:
I have attached the .te that I'm using as the local policy across my systems to allow cache reporting to work.
Comment 2 Milos Malik 2016-02-19 08:32:03 UTC 
Please attach the AVCs too. SELinux policy developers would like to see which AVCs appear in enforcing mode and permissive mode.
Comment 3 Paul Cuzner 2016-02-19 20:46:09 UTC 
Created attachment 1128668 [details]
audit log containing the denial messages against dmsetup

see attached file - dmsetup-audit.log.tar.gz
Comment 4 Milos Malik 2016-02-25 08:07:32 UTC 
Here are unique AVCs extracted from the attachment:
----
type=SYSCALL msg=audit(02/18/2016 21:25:07.787:2795226) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x2458a70 a1=0x7fff51406220 a2=0x7fff51406220 a3=0xd items=0 ppid=12756 pid=24944 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:25:07.787:2795226) : avc:  denied  { getattr } for  pid=24944 comm=sh path=/usr/sbin/dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:38:04.042:2796940) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x1d4da70 a1=X_OK a2=0x7ffc75598230 a3=0xd items=0 ppid=32486 pid=32620 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:38:04.042:2796940) : avc:  denied  { execute } for  pid=32620 comm=sh name=dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:38:04.042:2796941) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x1d4da70 a1=R_OK a2=0x7ffc75598230 a3=0xd items=0 ppid=32486 pid=32620 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:38:04.042:2796941) : avc:  denied  { read } for  pid=32620 comm=sh name=dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:46:14.409:2798788) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0x1defa70 a1=0x1deed00 a2=0x1dee0c0 a3=0x7ffef046b870 items=0 ppid=4564 pid=4718 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:46:14.409:2798788) : avc:  denied  { open } for  pid=4718 comm=sh path=/usr/sbin/dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:49:37.630:2799350) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0xb20a70 a1=0xb1fd00 a2=0xb1f0c0 a3=0x7ffd2944c3f0 items=0 ppid=6050 pid=6568 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:49:37.630:2799350) : avc:  denied  { execute_no_trans } for  pid=6568 comm=sh path=/usr/sbin/dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:57:19.534:2800521) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fff638839a0 a1=O_RDWR a2=0x0 a3=0x7fff63883660 items=0 ppid=9261 pid=14901 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmsetup exe=/usr/sbin/dmsetup subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:57:19.534:2800521) : avc:  denied  { read write } for  pid=14901 comm=dmsetup name=control dev="devtmpfs" ino=14345 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2016 22:01:28.630:2801220) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ffcba8ebd40 a1=O_RDWR a2=0x0 a3=0x7ffcba8eba00 items=0 ppid=16523 pid=17866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmsetup exe=/usr/sbin/dmsetup subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 22:01:28.630:2801220) : avc:  denied  { open } for  pid=17866 comm=dmsetup path=/dev/mapper/control dev="devtmpfs" ino=14345 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2016 22:07:15.361:2802177) : arch=x86_64 syscall=ioctl success=no exit=-13(Permission denied) a0=0x5 a1=0xc138fd00 a2=0x7f86579b81e0 a3=0x7ffcf4bcf470 items=0 ppid=19270 pid=21155 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmsetup exe=/usr/sbin/dmsetup subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 22:07:15.361:2802177) : avc:  denied  { ioctl } for  pid=21155 comm=dmsetup path=/dev/mapper/control dev="devtmpfs" ino=14345 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2016 22:11:01.387:2802731) : arch=x86_64 syscall=ioctl success=no exit=-13(Permission denied) a0=0x5 a1=0xc138fd00 a2=0x7f565c70f1e0 a3=0x7ffc79222510 items=0 ppid=22666 pid=23220 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmsetup exe=/usr/sbin/dmsetup subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 22:11:01.387:2802731) : avc:  denied  { sys_admin } for  pid=23220 comm=dmsetup capability=sys_admin  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability 
----
Comment 17 errata-xmlrpc 2016-11-04 02:43:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Note You need to log in before you can comment on or make changes to this bug.