1371496 – Network utilization doesn't work with SELinux in enforcing mode

Bug 1371496 - Network utilization doesn't work with SELinux in enforcing mode

Summary: Network utilization doesn't work with SELinux in enforcing mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Storage Console
Classification:	Red Hat Storage
Component:	core
Sub Component:
Version:	2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	2
Assignee:	Nishanth Thomas
QA Contact:	Daniel Horák
Docs Contact:
URL:
Whiteboard:
Depends On:	1377259
Blocks:	Console-2-Async
TreeView+	depends on / blocked

Reported:	2016-08-30 10:38 UTC by Daniel Horák
Modified:	2016-10-19 15:21 UTC (History)
CC List:	8 users (show)
Fixed In Version:	rhscon-core-0.0.42.1.el7scon
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1377259 (view as bug list)
Environment:
Last Closed:	2016-10-19 15:21:56 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2082	0	normal	SHIPPED_LIVE	Moderate: Red Hat Storage Console 2 security and bug fix update	2017-04-18 19:29:02 UTC

Description Daniel Horák 2016-08-30 10:38:47 UTC

Description of problem:
  Network Utilization charts shows just zeros while SELinux is in enforcing mode.

Version-Release number of selected component (if applicable):
USM Server (RHEL 7.2):
  ceph-ansible-1.0.5-32.el7scon.noarch
  ceph-installer-1.0.15-1.el7scon.noarch
  graphite-web-0.9.12-8.1.el7.noarch
  graphite2-1.3.6-1.el7_2.x86_64
  libcollection-0.6.2-25.el7.x86_64
  rhscon-ceph-0.0.40-1.el7scon.x86_64
  rhscon-core-0.0.41-1.el7scon.x86_64
  rhscon-core-selinux-0.0.41-1.el7scon.noarch
  rhscon-ui-0.0.53-1.el7scon.noarch
  
Ceph OSD/MON node (RHEL 7.2):
  calamari-server-1.4.8-1.el7cp.x86_64
  ceph-base-10.2.2-38.el7cp.x86_64
  ceph-common-10.2.2-38.el7cp.x86_64
  ceph-mon-10.2.2-38.el7cp.x86_64
  ceph-osd-10.2.2-38.el7cp.x86_64
  ceph-selinux-10.2.2-38.el7cp.x86_64
  collectd-ping-5.5.1-1.1.el7.x86_64
  collectd-5.5.1-1.1.el7.x86_64
  graphite2-1.3.6-1.el7_2.x86_64
  libcephfs1-10.2.2-38.el7cp.x86_64
  libcollection-0.6.2-25.el7.x86_64
  libstoraged-2.2.0-3.el7.x86_64
  python-cephfs-10.2.2-38.el7cp.x86_64
  rhscon-agent-0.0.18-1.el7scon.noarch
  rhscon-core-selinux-0.0.41-1.el7scon.noarch
  storaged-lvm2-2.2.0-3.el7.x86_64
  storaged-2.2.0-3.el7.x86_64

How reproducible:
  100%s

Steps to Reproduce:
1. Create cluster on real HW servers.
2. Utilize network between the nodes for some time (e.g. via `iperf`). 
3. Check Network Utilization charts.
4. Switch SELinux to permissive mode.
5. Utilize network between the nodes for some time (e.g. via `iperf`). 
6. Check Network Utilization charts.

Actual results:
  In step 3. Network Utilization charts shows zeros.
  In step 6. Network Utilization charts shows real data.

Expected results:
  Network Utilization charts shows real data.

Additional info:
  It is not possible to reproduce/test it on VMs as the Network Utilization charts works only on real HW servers.

Comment 3 Daniel Horák 2016-08-30 10:46:53 UTC

It is probably related to following AVC log:
----
time->Tue Aug 30 04:29:50 2016
type=SYSCALL msg=audit(1472545790.563:39511): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffc6a7f3e90 a2=1c a3=7ffc6a7f36e0 items=0 ppid=140626 pid=140627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="socat" exe="/usr/bin/socat" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1472545790.563:39511): avc:  denied  { connectto } for  pid=140627 comm="socat" path="/run/collectd-unixsock" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=unix_stream_socket
----

Comment 4 Timothy Asir 2016-09-01 06:04:09 UTC

Looks like the file '/run/collectd-unixsock' is mislabeled
Can you try "restorecon -R -v /run/collectd-unixsock" which fixes this issue.

Comment 5 Daniel Horák 2016-09-01 06:13:55 UTC

This command doesn't change anything:
  
  ~~~~~~~~~~~~~~~~~~~~~~~
  # ll -Z /run/collectd-unixsock 
  srwxrwx---. root wheel system_u:object_r:collectd_var_run_t:s0 /run/collectd-unixsock
  
  # restorecon -R -v /run/collectd-unixsock
  
  # ll -Z /run/collectd-unixsock 
  srwxrwx---. root wheel system_u:object_r:collectd_var_run_t:s0 /run/collectd-unixsock
  ~~~~~~~~~~~~~~~~~~~~~~~

Comment 6 Milos Malik 2016-09-01 18:22:09 UTC

# rpm -qa selinux-policy\*
selinux-policy-mls-3.13.1-96.el7.noarch
selinux-policy-sandbox-3.13.1-96.el7.noarch
selinux-policy-3.13.1-96.el7.noarch
selinux-policy-targeted-3.13.1-96.el7.noarch
selinux-policy-devel-3.13.1-96.el7.noarch
selinux-policy-doc-3.13.1-96.el7.noarch
selinux-policy-minimum-3.13.1-96.el7.noarch
# sesearch -s collectd_t -t collectd_t -c unix_stream_socket -A -C -p connectto
Found 1 semantic av rules:
DT allow daemon daemon : unix_stream_socket connectto ; [ daemons_enable_cluster_mode ]
#

I don't recommend enabling the daemons_enable_cluster_mode boolean, because it has too broad effect. It would be better to add an allow rule just for collectd_t.

Comment 7 Milos Malik 2016-09-14 06:05:04 UTC

Could you re-test the scenario after applying this workaround?

# cat bz1371496.te
policy_module(bz1371496, 1.0)

require {
  type collectd_t;
  class unix_stream_socket { connectto };
}

allow collectd_t collectd_t : unix_stream_socket { connectto };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1371496 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1371496.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bz1371496.mod
Creating targeted bz1371496.pp policy package
rm tmp/bz1371496.mod tmp/bz1371496.mod.fc
# semodule -i bz1371496.pp 
#

Comment 8 Milos Malik 2016-09-14 06:07:47 UTC

If you remove the policy module then it should be broken again:

# semodule -r bz1371496

But the workaround won't be needed, once the fix gets into the selinux-policy. BTW the /usr/share/selinux/devel/Makefile comes from selinux-policy-devel RPM.

Comment 9 Lukas Vrabec 2016-09-14 07:47:19 UTC

I agree with milos with his fix here. Could somebody report this BZ on selinux-policy component? 

Thanks.

Comment 10 Daniel Horák 2016-09-19 09:19:35 UTC

I've check the workaround/fix from comment 7, and it works as expected.

Comment 11 Daniel Horák 2016-09-19 10:27:50 UTC

Created Bug 1377259 for RHEL selinux-policy.

Comment 12 Timothy Asir 2016-09-20 12:54:12 UTC

Sent patch for review: https://review.gerrithub.io/#/c/295008/
https://review.gerrithub.io/#/c/295091/

Comment 14 Daniel Horák 2016-10-01 07:43:00 UTC

Tested and verified on:
  Red Hat Enterprise Linux Server release 7.3 (Maipo)

USM Server:
  ceph-ansible-1.0.5-34.el7scon.noarch
  ceph-installer-1.0.15-2.el7scon.noarch
  graphite-web-0.9.12-8.1.el7.noarch
  graphite2-1.3.6-1.el7_2.x86_64
  libcollection-0.6.2-27.el7.x86_64
  rhscon-ceph-0.0.43-1.el7scon.x86_64
  rhscon-core-0.0.45-1.el7scon.x86_64
  rhscon-core-selinux-0.0.45-1.el7scon.noarch
  rhscon-ui-0.0.59-1.el7scon.noarch
  salt-selinux-0.0.43-1.el7scon.noarch
  selinux-policy-3.13.1-102.el7.noarch
  selinux-policy-targeted-3.13.1-102.el7.noarch

Ceph OSD/MON node:
  calamari-server-1.4.8-1.el7cp.x86_64
  ceph-base-10.2.2-41.el7cp.x86_64
  ceph-common-10.2.2-41.el7cp.x86_64
  ceph-mon-10.2.2-41.el7cp.x86_64
  ceph-osd-10.2.2-41.el7cp.x86_64
  ceph-selinux-10.2.2-41.el7cp.x86_64
  collectd-ping-5.5.1-1.1.el7.x86_64
  collectd-5.5.1-1.1.el7.x86_64
  graphite2-1.3.6-1.el7_2.x86_64
  libcollection-0.6.2-27.el7.x86_64
  python-cephfs-10.2.2-41.el7cp.x86_64
  rhscon-agent-0.0.19-1.el7scon.noarch
  rhscon-core-selinux-0.0.45-1.el7scon.noarch
  salt-selinux-0.0.45-1.el7scon.noarch
  selinux-policy-targeted-3.13.1-102.el7.noarch
  selinux-policy-3.13.1-102.el7.noarch

SELinux in enforcing mode.
Network Utilization charts shows real data.

>> VERIFIED

Comment 15 errata-xmlrpc 2016-10-19 15:21:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:2082

Note You need to log in before you can comment on or make changes to this bug.