Bug 1371496 - Network utilization doesn't work with SELinux in enforcing mode
Summary: Network utilization doesn't work with SELinux in enforcing mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Storage Console
Classification: Red Hat
Component: core
Version: 2
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 2
Assignee: Nishanth Thomas
QA Contact: Daniel Horák
URL:
Whiteboard:
Depends On: 1377259
Blocks: Console-2-Async
TreeView+ depends on / blocked
 
Reported: 2016-08-30 10:38 UTC by Daniel Horák
Modified: 2016-10-19 15:21 UTC (History)
8 users (show)

Fixed In Version: rhscon-core-0.0.42.1.el7scon
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1377259 (view as bug list)
Environment:
Last Closed: 2016-10-19 15:21:56 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2082 0 normal SHIPPED_LIVE Moderate: Red Hat Storage Console 2 security and bug fix update 2017-04-18 19:29:02 UTC

Description Daniel Horák 2016-08-30 10:38:47 UTC
Description of problem:
  Network Utilization charts shows just zeros while SELinux is in enforcing mode.

Version-Release number of selected component (if applicable):
USM Server (RHEL 7.2):
  ceph-ansible-1.0.5-32.el7scon.noarch
  ceph-installer-1.0.15-1.el7scon.noarch
  graphite-web-0.9.12-8.1.el7.noarch
  graphite2-1.3.6-1.el7_2.x86_64
  libcollection-0.6.2-25.el7.x86_64
  rhscon-ceph-0.0.40-1.el7scon.x86_64
  rhscon-core-0.0.41-1.el7scon.x86_64
  rhscon-core-selinux-0.0.41-1.el7scon.noarch
  rhscon-ui-0.0.53-1.el7scon.noarch
  
Ceph OSD/MON node (RHEL 7.2):
  calamari-server-1.4.8-1.el7cp.x86_64
  ceph-base-10.2.2-38.el7cp.x86_64
  ceph-common-10.2.2-38.el7cp.x86_64
  ceph-mon-10.2.2-38.el7cp.x86_64
  ceph-osd-10.2.2-38.el7cp.x86_64
  ceph-selinux-10.2.2-38.el7cp.x86_64
  collectd-ping-5.5.1-1.1.el7.x86_64
  collectd-5.5.1-1.1.el7.x86_64
  graphite2-1.3.6-1.el7_2.x86_64
  libcephfs1-10.2.2-38.el7cp.x86_64
  libcollection-0.6.2-25.el7.x86_64
  libstoraged-2.2.0-3.el7.x86_64
  python-cephfs-10.2.2-38.el7cp.x86_64
  rhscon-agent-0.0.18-1.el7scon.noarch
  rhscon-core-selinux-0.0.41-1.el7scon.noarch
  storaged-lvm2-2.2.0-3.el7.x86_64
  storaged-2.2.0-3.el7.x86_64

How reproducible:
  100%s

Steps to Reproduce:
1. Create cluster on real HW servers.
2. Utilize network between the nodes for some time (e.g. via `iperf`). 
3. Check Network Utilization charts.
4. Switch SELinux to permissive mode.
5. Utilize network between the nodes for some time (e.g. via `iperf`). 
6. Check Network Utilization charts.

Actual results:
  In step 3. Network Utilization charts shows zeros.
  In step 6. Network Utilization charts shows real data.

Expected results:
  Network Utilization charts shows real data.

Additional info:
  It is not possible to reproduce/test it on VMs as the Network Utilization charts works only on real HW servers.

Comment 3 Daniel Horák 2016-08-30 10:46:53 UTC
It is probably related to following AVC log:
----
time->Tue Aug 30 04:29:50 2016
type=SYSCALL msg=audit(1472545790.563:39511): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffc6a7f3e90 a2=1c a3=7ffc6a7f36e0 items=0 ppid=140626 pid=140627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="socat" exe="/usr/bin/socat" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1472545790.563:39511): avc:  denied  { connectto } for  pid=140627 comm="socat" path="/run/collectd-unixsock" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=unix_stream_socket
----

Comment 4 Timothy Asir 2016-09-01 06:04:09 UTC
Looks like the file '/run/collectd-unixsock' is mislabeled
Can you try "restorecon -R -v /run/collectd-unixsock" which fixes this issue.

Comment 5 Daniel Horák 2016-09-01 06:13:55 UTC
This command doesn't change anything:
  
  ~~~~~~~~~~~~~~~~~~~~~~~
  # ll -Z /run/collectd-unixsock 
  srwxrwx---. root wheel system_u:object_r:collectd_var_run_t:s0 /run/collectd-unixsock
  
  # restorecon -R -v /run/collectd-unixsock
  
  # ll -Z /run/collectd-unixsock 
  srwxrwx---. root wheel system_u:object_r:collectd_var_run_t:s0 /run/collectd-unixsock
  ~~~~~~~~~~~~~~~~~~~~~~~

Comment 6 Milos Malik 2016-09-01 18:22:09 UTC
# rpm -qa selinux-policy\*
selinux-policy-mls-3.13.1-96.el7.noarch
selinux-policy-sandbox-3.13.1-96.el7.noarch
selinux-policy-3.13.1-96.el7.noarch
selinux-policy-targeted-3.13.1-96.el7.noarch
selinux-policy-devel-3.13.1-96.el7.noarch
selinux-policy-doc-3.13.1-96.el7.noarch
selinux-policy-minimum-3.13.1-96.el7.noarch
# sesearch -s collectd_t -t collectd_t -c unix_stream_socket -A -C -p connectto
Found 1 semantic av rules:
DT allow daemon daemon : unix_stream_socket connectto ; [ daemons_enable_cluster_mode ]
#

I don't recommend enabling the daemons_enable_cluster_mode boolean, because it has too broad effect. It would be better to add an allow rule just for collectd_t.

Comment 7 Milos Malik 2016-09-14 06:05:04 UTC
Could you re-test the scenario after applying this workaround?

# cat bz1371496.te
policy_module(bz1371496, 1.0)

require {
  type collectd_t;
  class unix_stream_socket { connectto };
}

allow collectd_t collectd_t : unix_stream_socket { connectto };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1371496 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1371496.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bz1371496.mod
Creating targeted bz1371496.pp policy package
rm tmp/bz1371496.mod tmp/bz1371496.mod.fc
# semodule -i bz1371496.pp 
#

Comment 8 Milos Malik 2016-09-14 06:07:47 UTC
If you remove the policy module then it should be broken again:

# semodule -r bz1371496

But the workaround won't be needed, once the fix gets into the selinux-policy. BTW the /usr/share/selinux/devel/Makefile comes from selinux-policy-devel RPM.

Comment 9 Lukas Vrabec 2016-09-14 07:47:19 UTC
I agree with milos with his fix here. Could somebody report this BZ on selinux-policy component? 

Thanks.

Comment 10 Daniel Horák 2016-09-19 09:19:35 UTC
I've check the workaround/fix from comment 7, and it works as expected.

Comment 11 Daniel Horák 2016-09-19 10:27:50 UTC
Created Bug 1377259 for RHEL selinux-policy.

Comment 12 Timothy Asir 2016-09-20 12:54:12 UTC
Sent patch for review: https://review.gerrithub.io/#/c/295008/
https://review.gerrithub.io/#/c/295091/

Comment 14 Daniel Horák 2016-10-01 07:43:00 UTC
Tested and verified on:
  Red Hat Enterprise Linux Server release 7.3 (Maipo)

USM Server:
  ceph-ansible-1.0.5-34.el7scon.noarch
  ceph-installer-1.0.15-2.el7scon.noarch
  graphite-web-0.9.12-8.1.el7.noarch
  graphite2-1.3.6-1.el7_2.x86_64
  libcollection-0.6.2-27.el7.x86_64
  rhscon-ceph-0.0.43-1.el7scon.x86_64
  rhscon-core-0.0.45-1.el7scon.x86_64
  rhscon-core-selinux-0.0.45-1.el7scon.noarch
  rhscon-ui-0.0.59-1.el7scon.noarch
  salt-selinux-0.0.43-1.el7scon.noarch
  selinux-policy-3.13.1-102.el7.noarch
  selinux-policy-targeted-3.13.1-102.el7.noarch

Ceph OSD/MON node:
  calamari-server-1.4.8-1.el7cp.x86_64
  ceph-base-10.2.2-41.el7cp.x86_64
  ceph-common-10.2.2-41.el7cp.x86_64
  ceph-mon-10.2.2-41.el7cp.x86_64
  ceph-osd-10.2.2-41.el7cp.x86_64
  ceph-selinux-10.2.2-41.el7cp.x86_64
  collectd-ping-5.5.1-1.1.el7.x86_64
  collectd-5.5.1-1.1.el7.x86_64
  graphite2-1.3.6-1.el7_2.x86_64
  libcollection-0.6.2-27.el7.x86_64
  python-cephfs-10.2.2-41.el7cp.x86_64
  rhscon-agent-0.0.19-1.el7scon.noarch
  rhscon-core-selinux-0.0.45-1.el7scon.noarch
  salt-selinux-0.0.45-1.el7scon.noarch
  selinux-policy-targeted-3.13.1-102.el7.noarch
  selinux-policy-3.13.1-102.el7.noarch

SELinux in enforcing mode.
Network Utilization charts shows real data.

>> VERIFIED

Comment 15 errata-xmlrpc 2016-10-19 15:21:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:2082


Note You need to log in before you can comment on or make changes to this bug.