RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1309883 - selinux preventing pcp dmcache metrics collection (access to dmsetup denial)
Summary: selinux preventing pcp dmcache metrics collection (access to dmsetup denial)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: x86_64
OS: Linux
high
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Jan Zarsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-18 21:44 UTC by Paul Cuzner
Modified: 2023-09-14 03:18 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-101.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
RHEL 7.2 selinux-policy-3.13.1-60.el7_2.3.noarch device-mapper-1.02.107-5.el7_2.1.x86_64 pcp-3.10.6-2.el7.x86_64 pcp-pmda-dm-3.10.6-2.el7.x86_64
Last Closed: 2016-11-04 02:43:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
local .te file that allows dmcache reporting to work (600 bytes, text/plain)
2016-02-18 21:44 UTC, Paul Cuzner 		no flags Details
audit log containing the denial messages against dmsetup (285.00 KB, application/x-gzip)
2016-02-19 20:46 UTC, Paul Cuzner 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Paul Cuzner 2016-02-18 21:44:04 UTC 
Created attachment 1128338 [details]
local .te file that allows dmcache reporting to work

Description of problem:
I am using SSD's with lvmcache so need to use pcp's pmda to gather and report on cache effectiveness. Out of the box the dmcache report (pcp -h localhost dmcache) just returns 'no values available'. Checking the audit.log shows that selinux is blocking the pcp collector's access to the dmsetup tool - hence the 'no values...' message.

Version-Release number of selected component (if applicable):
see 'environment' section for list of relevant rpm versions

How reproducible:
I have 3 systems - all 3 were blocked in the same manner

Steps to Reproduce:
1. Configure lvmcache on a rhel7.2 environment
2. install pcp, with the dm pmda (shown above)
3. attempt to use the pcp -h localhost dmcache command

Actual results:
collector is unable to gather and report any metrics

@ Thu Feb 18 16:10:39 2016 (host gprfc085.sbu.lab.eng.bos.redhat.com)
---device--- ---%used--- ---------reads--------- --------writes---------
             meta  cache     hit    miss   ratio     hit    miss   ratio
No values available
No values available


Expected results:
collector should be able to interface with dmsetup to get the cache utilisation information

After installing a local policy, this is what you should see
@ Thu Feb 18 16:12:17 2016 (host gprfc085.sbu.lab.eng.bos.redhat.com)
---device--- ---%used--- ---------reads--------- --------writes---------
             meta  cache     hit    miss   ratio     hit    miss   ratio
rhgs_vg1-thinpool_tdata  0.7%  9.4%       ?       ?      ?%       ?       ?      ?%
rhgs_vg1-thinpool_tdata  0.7%  9.4%    0.00    0.00      0%    0.00    0.00      0%
rhgs_vg1-thinpool_tdata  0.7%  9.4%    0.00    0.00      0%    0.00    0.00      0%
rhgs_vg1-thinpool_tdata  0.7%  9.4%    0.00    0.00      0%    1.96    0.00   50.0%


Additional info:
I have attached the .te that I'm using as the local policy across my systems to allow cache reporting to work.
Comment 2 Milos Malik 2016-02-19 08:32:03 UTC 
Please attach the AVCs too. SELinux policy developers would like to see which AVCs appear in enforcing mode and permissive mode.
Comment 3 Paul Cuzner 2016-02-19 20:46:09 UTC 
Created attachment 1128668 [details]
audit log containing the denial messages against dmsetup

see attached file - dmsetup-audit.log.tar.gz
Comment 4 Milos Malik 2016-02-25 08:07:32 UTC 
Here are unique AVCs extracted from the attachment:
----
type=SYSCALL msg=audit(02/18/2016 21:25:07.787:2795226) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x2458a70 a1=0x7fff51406220 a2=0x7fff51406220 a3=0xd items=0 ppid=12756 pid=24944 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:25:07.787:2795226) : avc:  denied  { getattr } for  pid=24944 comm=sh path=/usr/sbin/dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:38:04.042:2796940) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x1d4da70 a1=X_OK a2=0x7ffc75598230 a3=0xd items=0 ppid=32486 pid=32620 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:38:04.042:2796940) : avc:  denied  { execute } for  pid=32620 comm=sh name=dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:38:04.042:2796941) : arch=x86_64 syscall=access success=no exit=-13(Permission denied) a0=0x1d4da70 a1=R_OK a2=0x7ffc75598230 a3=0xd items=0 ppid=32486 pid=32620 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:38:04.042:2796941) : avc:  denied  { read } for  pid=32620 comm=sh name=dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:46:14.409:2798788) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0x1defa70 a1=0x1deed00 a2=0x1dee0c0 a3=0x7ffef046b870 items=0 ppid=4564 pid=4718 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:46:14.409:2798788) : avc:  denied  { open } for  pid=4718 comm=sh path=/usr/sbin/dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:49:37.630:2799350) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0xb20a70 a1=0xb1fd00 a2=0xb1f0c0 a3=0x7ffd2944c3f0 items=0 ppid=6050 pid=6568 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:49:37.630:2799350) : avc:  denied  { execute_no_trans } for  pid=6568 comm=sh path=/usr/sbin/dmsetup dev="dm-0" ino=805377392 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(02/18/2016 21:57:19.534:2800521) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fff638839a0 a1=O_RDWR a2=0x0 a3=0x7fff63883660 items=0 ppid=9261 pid=14901 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmsetup exe=/usr/sbin/dmsetup subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 21:57:19.534:2800521) : avc:  denied  { read write } for  pid=14901 comm=dmsetup name=control dev="devtmpfs" ino=14345 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2016 22:01:28.630:2801220) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7ffcba8ebd40 a1=O_RDWR a2=0x0 a3=0x7ffcba8eba00 items=0 ppid=16523 pid=17866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmsetup exe=/usr/sbin/dmsetup subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 22:01:28.630:2801220) : avc:  denied  { open } for  pid=17866 comm=dmsetup path=/dev/mapper/control dev="devtmpfs" ino=14345 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2016 22:07:15.361:2802177) : arch=x86_64 syscall=ioctl success=no exit=-13(Permission denied) a0=0x5 a1=0xc138fd00 a2=0x7f86579b81e0 a3=0x7ffcf4bcf470 items=0 ppid=19270 pid=21155 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmsetup exe=/usr/sbin/dmsetup subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 22:07:15.361:2802177) : avc:  denied  { ioctl } for  pid=21155 comm=dmsetup path=/dev/mapper/control dev="devtmpfs" ino=14345 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lvm_control_t:s0 tclass=chr_file 
----
type=SYSCALL msg=audit(02/18/2016 22:11:01.387:2802731) : arch=x86_64 syscall=ioctl success=no exit=-13(Permission denied) a0=0x5 a1=0xc138fd00 a2=0x7f565c70f1e0 a3=0x7ffc79222510 items=0 ppid=22666 pid=23220 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dmsetup exe=/usr/sbin/dmsetup subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) 
type=AVC msg=audit(02/18/2016 22:11:01.387:2802731) : avc:  denied  { sys_admin } for  pid=23220 comm=dmsetup capability=sys_admin  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability 
----
Comment 17 errata-xmlrpc 2016-11-04 02:43:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html
Comment 18 Red Hat Bugzilla 2023-09-14 03:18:09 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.