1336211 – SELinux policy prevents reading PCP process metrics

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1336211 - SELinux policy prevents reading PCP process metrics

Summary: SELinux policy prevents reading PCP process metrics

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Jan Zarsky
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-15 17:40 UTC by Marko Myllynen
Modified:	2020-09-10 09:37 UTC (History)
CC List:	14 users (show)
Fixed In Version:	selinux-policy-3.13.1-140
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:10:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit.log (20.95 KB, text/plain) 2016-05-16 08:56 UTC, Marko Myllynen	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Marko Myllynen 2016-05-15 17:40:51 UTC

Description of problem:
(Most likely a SELinux policy issue but filing against PCP first to allow PCP devs to comment.)

# restorecon -R / > /dev/null 2>&1
# setenforce 1
# systemctl restart pmcd
<started thunderbird as regular user>
# pidof thunderbird
12827
# pmval -i "'012827 /usr/lib64/thunderbird/thunderbird'" -r -s 1 proc.io.read_bytes | tail -n 2
012827 /usr/lib64/thu
                    0
# setenforce 0
# pmval -i "'012827 /usr/lib64/thunderbird/thunderbird'" -r -s 1 proc.io.read_bytes | tail -n 2
012827 /usr/lib64/thu
               290816

Version-Release number of selected component (if applicable):
pcp-3.10.6-2.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch

Comment 2 Marko Myllynen 2016-05-16 08:56:34 UTC

Created attachment 1157821 [details]
audit.log

Investigating this further, it's not necessarily only about SELinux policy tuning - for example, why PCP wants to access several files under users' home directories?

The attached audit.log generated by having pmcd running (no pmlogger in play) and doing pminfo -f as root.

Comment 3 Nathan Scott 2016-05-16 09:08:49 UTC

Hi Marko,

> why PCP wants to access several files under home directories

pmdaproc issues setresuid(2), setresgid(2) to change accounts to (temporarily) become the user running the client tool, for the duration of the /proc sampling (so, accessing these files may be implicit - certainly nothing in PCP that is doing that explicitly).

From a quick look at the code, it reports zero values when no values can be successfully extracted for the proc.io.* metrics.

cheers.

Comment 4 Frank Ch. Eigler 2016-05-16 20:59:01 UTC

(In reply to Marko Myllynen from comment #2)
> why PCP wants to access several files under users' home directories?

This is due to src/pmdas/linux_proc/getinfo.c:

     22 char *
     23 get_ttyname_info(int pid, dev_t dev, char *ttyname)
     24 {
[...]
     37             sprintf(procpath, "/proc/%d/fd/%s", pid, dp->d_name);
     38             if (realpath(procpath, ttypath) == NULL || stat(ttypath, &sbuf) < 0)
     39                 continue;

and realpath() involves considerable readlink and filesystem traversal, repeated over multiple file descriptors, per process.

i.e., it's for satisfying the "proc.psinfo.ttyname" metric.

Comment 5 Marko Myllynen 2016-05-17 11:07:13 UTC

(In reply to Frank Ch. Eigler from comment #4)
> (In reply to Marko Myllynen from comment #2)
> > why PCP wants to access several files under users' home directories?
> 
> This is due to src/pmdas/linux_proc/getinfo.c:
> 
>      22 char *
>      23 get_ttyname_info(int pid, dev_t dev, char *ttyname)
>      24 {
> [...]
>      37             sprintf(procpath, "/proc/%d/fd/%s", pid, dp->d_name);
>      38             if (realpath(procpath, ttypath) == NULL || stat(ttypath,
> &sbuf) < 0)
>      39                 continue;
> 
> and realpath() involves considerable readlink and filesystem traversal,
> repeated over multiple file descriptors, per process.

Good catch - fetching everything under proc except for proc.psinfo.ttyname does not generate anymore AVCs expect for the occasional:

type=AVC msg=audit(1463387051.279:513): avc:  denied  { sys_ptrace } for  pid=1708 comm="pmdaproc" capability=19  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability
type=SYSCALL msg=audit(1463387051.279:513): arch=c000003e syscall=89 success=yes exit=9 a0=7ffd3a5f4c20 a1=7ffd3a5f2a70 a2=fff a3=1 items=0 ppid=1702 pid=1708 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pmdaproc" exe="/var/lib/pcp/pmdas/proc/pmdaproc" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)

It would seem that the most reliable way here to reproduce is to restart pmcd and then do pminfo -f proc.io or pminfo -f proc.memory. (Didn't get any hints when ran stap -e 'probe syscall.ptrace { print_ubacktrace() }' when testing.)

Thanks.

Comment 6 Marko Myllynen 2016-06-01 07:31:21 UTC

And these pop up when the month changes:

type=AVC msg=audit(1464729011.915:575): avc:  denied  { read } for  pid=1784 comm="pmcd" name="pmlogger_daily.pid" dev="tmpfs" ino=78123 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:cron_var_run_t:s0 tclass=file

type=AVC msg=audit(1464729011.914:574): avc:  denied  { create } for  pid=11763 comm="pmlogger" name="pmlogger.primary.socket" scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file

type=AVC msg=audit(1464729011.888:573): avc:  denied  { execute } for  pid=11765 comm="sh" name="pmcpp" dev="dm-1" ino=538657541 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

type=AVC msg=audit(1464729011.888:572): avc:  denied  { getattr } for  pid=11765 comm="sh" path="/proc/meminfo" dev="proc" ino=4026532039 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1464729011.888:572): arch=x86_64 syscall=fstat success=yes exit=0 a0=3 a1=7ffd13df5490 a2=7ffd13df5490 a3=0 items=0 ppid=11763 pid=11765 auid=991 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 tty=(none) ses=24 comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1464729011.888:571): avc:  denied  { read } for  pid=11765 comm="sh" name="meminfo" dev="proc" ino=4026532039 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1464729011.888:571): avc:  denied  { open } for  pid=11765 comm="sh" path="/proc/meminfo" dev="proc" ino=4026532039 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1464729011.888:571): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7fbbdd47d3c9 a1=80000 a2=1b6 a3=24 items=0 ppid=11763 pid=11765 auid=991 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 tty=(none) ses=24 comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1464729011.887:570): avc:  denied  { execute } for  pid=11765 comm="pmlogger" name="bash" dev="dm-1" ino=271724700 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1464729011.887:570): avc:  denied  { execute_no_trans } for  pid=11765 comm="pmlogger" path="/usr/bin/bash" dev="dm-1" ino=271724700 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1464729011.887:570): arch=x86_64 syscall=execve success=yes exit=0 a0=7ff8f84e3de9 a1=7fffcc484300 a2=7fffcc489790 a3=7ff8f8dbaa10 items=0 ppid=11763 pid=11765 auid=991 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 tty=(none) ses=24 comm=sh exe=/usr/bin/bash subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1464729011.886:569): avc:  denied  { ioctl } for  pid=11763 comm="pmlogger" path="socket:[79160]" dev="sockfs" ino=79160 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1464729011.886:569): arch=x86_64 syscall=ioctl success=yes exit=0 a0=7 a1=8933 a2=7fffcc483cc0 a3=3 items=0 ppid=11617 pid=11763 auid=991 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 tty=(none) ses=24 comm=pmlogger exe=/usr/bin/pmlogger subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1464729011.886:568): avc:  denied  { create } for  pid=11763 comm="pmlogger" scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1464729011.886:568): arch=x86_64 syscall=socket success=yes exit=E2BIG a0=1 a1=80002 a2=0 a3=3 items=0 ppid=11617 pid=11763 auid=991 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 tty=(none) ses=24 comm=pmlogger exe=/usr/bin/pmlogger subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1464729011.886:567): avc:  denied  { read } for  pid=11763 comm="pmlogger" name="unix" dev="proc" ino=4026532014 scontext=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1464729011.886:567): arch=x86_64 syscall=access success=yes exit=0 a0=7fffcc483c60 a1=4 a2=7fffcc483c6e a3=3 items=0 ppid=11617 pid=11763 auid=991 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 tty=(none) ses=24 comm=pmlogger exe=/usr/bin/pmlogger subj=system_u:system_r:pcp_pmlogger_t:s0-s0:c0.c1023 key=(null)

Thanks.

Comment 7 Nathan Scott 2016-06-23 07:34:01 UTC

(In reply to Marko Myllynen from comment #5)
> [...] 
>  - fetching everything under proc except for proc.psinfo.ttyname
> does not generate anymore AVCs expect for the occasional:

I've rewritten the PCP code behind the proc.psinfo.ttyname metric now, and confirmed it no longer generates AVCs, so that's one down at least.

cheers.

Comment 12 Jan Zarsky 2016-09-07 09:52:22 UTC

pmval does not produce AVCs when run on thunderbird (as described in reproducer) but when run on all processes there are still AVCs.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-97.el7.noarch
pcp-3.11.3-4.el7.x86_64

Actual results:
# pmval -r -s 1 proc.io.read_bytes
...
# ausearch -m avc
----
time->Wed Sep  7 05:47:29 2016
type=SYSCALL msg=audit(1473241649.586:975): arch=c000003e syscall=0 success=no exit=-13 a0=6 a1=7fffe3da6320 a2=400 a3=2 items=0 ppid=2675 pid=2676 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pmdaproc" exe="/var/lib/pcp/pmdas/proc/pmdaproc" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=AVC msg=audit(1473241649.586:975): avc:  denied  { sys_ptrace } for  pid=2676 comm="pmdaproc" capability=19  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability
...
(repeats many times)
# ausearch -m avc | audit2allow
#============= pcp_pmcd_t ==============
allow pcp_pmcd_t self:capability sys_ptrace;

Comment 19 Lukas Vrabec 2016-10-05 08:39:49 UTC

Beat, 
If you want to have it fixed in RHEL-7.3.z, please attach business justification and set rhel-7.3.z flag to '?'. 

From my POV, I'm fine with fix.

Comment 27 Milos Malik 2017-04-05 12:38:24 UTC

(In reply to Marko Myllynen from comment #6)
> And these pop up when the month changes:
> 
> type=AVC msg=audit(1464729011.915:575): avc:  denied  { read } for  pid=1784
> comm="pmcd" name="pmlogger_daily.pid" dev="tmpfs" ino=78123
> scontext=system_u:system_r:pcp_pmcd_t:s0
> tcontext=system_u:object_r:cron_var_run_t:s0 tclass=file

If the pcp-pmlogger cronjob script is executed by crond then it runs under following SELinux context:

Apr 05 08:16:01 qeos-133.lab.eng.rdu2.redhat.com pcp[17458]: system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

1) If /var/run/pcp directory exists and has correct UNIX permissions and correct SELinux label (pcp_var_run_t), then pcp-pmlogger cronjob creates its PID file in /var/run/pcp directory and the file inherits its SELinux label from the directory, which is expected.

Apr 05 08:16:01 qeos-133.lab.eng.rdu2.redhat.com pcp[17497]: -rw-r--r--. pcp pcp system_u:object_r:pcp_var_run_t:s0 /var/run/pcp/pmlogger_daily.pid

2) If /var/run/pcp directory does not exist, then pcp-pmlogger cronjob script is not enable to create the directory because the script runs under pcp user and:

# ls -ld /var/run/
drwxr-xr-x. 29 root root 920 Apr  5 08:28 /var/run/
#

3) If /var/run/pcp directory exists, has correct UNIX permissions, but incorrect SELinux label (var_run_t) then pcp-pmlogger cronjob creates its PID file with incorrect SELinux label:

# matchpathcon /var/run/
/var/run	system_u:object_r:var_run_t:s0
# sesearch -s system_cronjob_t -t var_run_t -T
Found 1 semantic te rules:
   type_transition system_cronjob_t var_run_t : file cron_var_run_t; 

#

and the above-mentioned AVC appears as a consequence.

Comment 29 Jan Zarsky 2017-04-10 10:15:44 UTC

(In reply to Milos Malik from comment #27)

This should be fixed by https://bugzilla.redhat.com/show_bug.cgi?id=1381301

Comment 31 errata-xmlrpc 2017-08-01 15:10:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.