Description of problem: Network Utilization charts shows just zeros while SELinux is in enforcing mode. Version-Release number of selected component (if applicable): USM Server (RHEL 7.2): ceph-ansible-1.0.5-32.el7scon.noarch ceph-installer-1.0.15-1.el7scon.noarch graphite-web-0.9.12-8.1.el7.noarch graphite2-1.3.6-1.el7_2.x86_64 libcollection-0.6.2-25.el7.x86_64 rhscon-ceph-0.0.40-1.el7scon.x86_64 rhscon-core-0.0.41-1.el7scon.x86_64 rhscon-core-selinux-0.0.41-1.el7scon.noarch rhscon-ui-0.0.53-1.el7scon.noarch Ceph OSD/MON node (RHEL 7.2): calamari-server-1.4.8-1.el7cp.x86_64 ceph-base-10.2.2-38.el7cp.x86_64 ceph-common-10.2.2-38.el7cp.x86_64 ceph-mon-10.2.2-38.el7cp.x86_64 ceph-osd-10.2.2-38.el7cp.x86_64 ceph-selinux-10.2.2-38.el7cp.x86_64 collectd-ping-5.5.1-1.1.el7.x86_64 collectd-5.5.1-1.1.el7.x86_64 graphite2-1.3.6-1.el7_2.x86_64 libcephfs1-10.2.2-38.el7cp.x86_64 libcollection-0.6.2-25.el7.x86_64 libstoraged-2.2.0-3.el7.x86_64 python-cephfs-10.2.2-38.el7cp.x86_64 rhscon-agent-0.0.18-1.el7scon.noarch rhscon-core-selinux-0.0.41-1.el7scon.noarch storaged-lvm2-2.2.0-3.el7.x86_64 storaged-2.2.0-3.el7.x86_64 How reproducible: 100%s Steps to Reproduce: 1. Create cluster on real HW servers. 2. Utilize network between the nodes for some time (e.g. via `iperf`). 3. Check Network Utilization charts. 4. Switch SELinux to permissive mode. 5. Utilize network between the nodes for some time (e.g. via `iperf`). 6. Check Network Utilization charts. Actual results: In step 3. Network Utilization charts shows zeros. In step 6. Network Utilization charts shows real data. Expected results: Network Utilization charts shows real data. Additional info: It is not possible to reproduce/test it on VMs as the Network Utilization charts works only on real HW servers.
It is probably related to following AVC log: ---- time->Tue Aug 30 04:29:50 2016 type=SYSCALL msg=audit(1472545790.563:39511): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffc6a7f3e90 a2=1c a3=7ffc6a7f36e0 items=0 ppid=140626 pid=140627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="socat" exe="/usr/bin/socat" subj=system_u:system_r:collectd_t:s0 key=(null) type=AVC msg=audit(1472545790.563:39511): avc: denied { connectto } for pid=140627 comm="socat" path="/run/collectd-unixsock" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=unix_stream_socket ----
Looks like the file '/run/collectd-unixsock' is mislabeled Can you try "restorecon -R -v /run/collectd-unixsock" which fixes this issue.
This command doesn't change anything: ~~~~~~~~~~~~~~~~~~~~~~~ # ll -Z /run/collectd-unixsock srwxrwx---. root wheel system_u:object_r:collectd_var_run_t:s0 /run/collectd-unixsock # restorecon -R -v /run/collectd-unixsock # ll -Z /run/collectd-unixsock srwxrwx---. root wheel system_u:object_r:collectd_var_run_t:s0 /run/collectd-unixsock ~~~~~~~~~~~~~~~~~~~~~~~
# rpm -qa selinux-policy\* selinux-policy-mls-3.13.1-96.el7.noarch selinux-policy-sandbox-3.13.1-96.el7.noarch selinux-policy-3.13.1-96.el7.noarch selinux-policy-targeted-3.13.1-96.el7.noarch selinux-policy-devel-3.13.1-96.el7.noarch selinux-policy-doc-3.13.1-96.el7.noarch selinux-policy-minimum-3.13.1-96.el7.noarch # sesearch -s collectd_t -t collectd_t -c unix_stream_socket -A -C -p connectto Found 1 semantic av rules: DT allow daemon daemon : unix_stream_socket connectto ; [ daemons_enable_cluster_mode ] # I don't recommend enabling the daemons_enable_cluster_mode boolean, because it has too broad effect. It would be better to add an allow rule just for collectd_t.
Could you re-test the scenario after applying this workaround? # cat bz1371496.te policy_module(bz1371496, 1.0) require { type collectd_t; class unix_stream_socket { connectto }; } allow collectd_t collectd_t : unix_stream_socket { connectto }; # make -f /usr/share/selinux/devel/Makefile Compiling targeted bz1371496 module /usr/bin/checkmodule: loading policy configuration from tmp/bz1371496.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 17) to tmp/bz1371496.mod Creating targeted bz1371496.pp policy package rm tmp/bz1371496.mod tmp/bz1371496.mod.fc # semodule -i bz1371496.pp #
If you remove the policy module then it should be broken again: # semodule -r bz1371496 But the workaround won't be needed, once the fix gets into the selinux-policy. BTW the /usr/share/selinux/devel/Makefile comes from selinux-policy-devel RPM.
I agree with milos with his fix here. Could somebody report this BZ on selinux-policy component? Thanks.
I've check the workaround/fix from comment 7, and it works as expected.
Created Bug 1377259 for RHEL selinux-policy.
Sent patch for review: https://review.gerrithub.io/#/c/295008/ https://review.gerrithub.io/#/c/295091/
Tested and verified on: Red Hat Enterprise Linux Server release 7.3 (Maipo) USM Server: ceph-ansible-1.0.5-34.el7scon.noarch ceph-installer-1.0.15-2.el7scon.noarch graphite-web-0.9.12-8.1.el7.noarch graphite2-1.3.6-1.el7_2.x86_64 libcollection-0.6.2-27.el7.x86_64 rhscon-ceph-0.0.43-1.el7scon.x86_64 rhscon-core-0.0.45-1.el7scon.x86_64 rhscon-core-selinux-0.0.45-1.el7scon.noarch rhscon-ui-0.0.59-1.el7scon.noarch salt-selinux-0.0.43-1.el7scon.noarch selinux-policy-3.13.1-102.el7.noarch selinux-policy-targeted-3.13.1-102.el7.noarch Ceph OSD/MON node: calamari-server-1.4.8-1.el7cp.x86_64 ceph-base-10.2.2-41.el7cp.x86_64 ceph-common-10.2.2-41.el7cp.x86_64 ceph-mon-10.2.2-41.el7cp.x86_64 ceph-osd-10.2.2-41.el7cp.x86_64 ceph-selinux-10.2.2-41.el7cp.x86_64 collectd-ping-5.5.1-1.1.el7.x86_64 collectd-5.5.1-1.1.el7.x86_64 graphite2-1.3.6-1.el7_2.x86_64 libcollection-0.6.2-27.el7.x86_64 python-cephfs-10.2.2-41.el7cp.x86_64 rhscon-agent-0.0.19-1.el7scon.noarch rhscon-core-selinux-0.0.45-1.el7scon.noarch salt-selinux-0.0.45-1.el7scon.noarch selinux-policy-targeted-3.13.1-102.el7.noarch selinux-policy-3.13.1-102.el7.noarch SELinux in enforcing mode. Network Utilization charts shows real data. >> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:2082