1517862 – SELinux errors for pcp-pmda-postfix

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1517862 - SELinux errors for pcp-pmda-postfix

Summary: SELinux errors for pcp-pmda-postfix

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pcp
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Berk
QA Contact:	Michal Kolar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-27 15:45 UTC by Ugo Bellavance
Modified:	2018-04-10 17:08 UTC (History)
CC List:	8 users (show)
Fixed In Version:	pcp-3.12.2-5.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 17:08:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0926	0	None	None	None	2018-04-10 17:08:32 UTC

Description Ugo Bellavance 2017-11-27 15:45:58 UTC

Description of problem:
The postfix PMDA doesn't work in install because of SELinux denials


Version-Release number of selected component (if applicable):
3.11.8-7

How reproducible:
Always

Steps to Reproduce:
1. Install pcp and 
2. pcp-pmda-postfix
3. Install the PMDA by running the Install script
4. Run pminfo -f postfix or use pmchart to try to display postfix values

Actual results:

For pminfo: postfix: pmLookupName: IPC protocol failure
For pmchart: Cannot get children of the node "postfix". No PMCD agent for domain of request.

Expected results:
Show metrics

Additional info:

SELinux-related actions to make it work:

setsebool -P pcp_read_generic_logs 1

Also, even if the boolean is set, there are other SElinux errors:

=================================
SELinux is preventing /usr/bin/perl from read access on the directory /var/spool/postfix/maildrop.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that perl should be allowed read access on the maildrop directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'qshape' --raw | audit2allow -M my-qshape
# semodule -i my-qshape.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:postfix_spool_t:s0
Target Objects                /var/spool/postfix/maildrop [ dir ]
Source                        qshape
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          atqvcs1.atqlan.agri-tracabilite.qc.ca
Source RPM Packages           perl-5.16.3-292.el7.x86_64
Target RPM Packages           postfix-2.10.1-6.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     atqvcs1.atqlan.agri-tracabilite.qc.ca
Platform                      Linux atqvcs1.atqlan.agri-tracabilite.qc.ca
                              3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 13
                              10:46:25 EDT 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-11-27 10:35:25 EST
Last Seen                     2017-11-27 10:35:25 EST
Local ID                      ac5d9c42-8e4b-4f54-a3d4-90e7c02d369c

Raw Audit Messages
type=AVC msg=audit(1511796925.305:201871): avc:  denied  { read } for  pid=13416 comm="qshape" name="maildrop" dev="dm-4" ino=8388759 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir


type=SYSCALL msg=audit(1511796925.305:201871): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=1181210 a2=90800 a3=0 items=0 ppid=13385 pid=13416 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=qshape exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)

Hash: qshape,pcp_pmcd_t,postfix_spool_t,dir,read
==================================================

=========================
SELinux is preventing /usr/bin/bash from using the signal access on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed signal access on processes labeled pcp_pmcd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmsignal' --raw | audit2allow -M my-pmsignal
# semodule -i my-pmsignal.pp

Additional Information:
Source Context                system_u:system_r:pcp_pmie_t:s0
Target Context                system_u:system_r:pcp_pmcd_t:s0
Target Objects                Unknown [ process ]
Source                        pmsignal
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          atqvcs1.atqlan.agri-tracabilite.qc.ca
Source RPM Packages           bash-4.2.46-29.el7_4.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     atqvcs1.atqlan.agri-tracabilite.qc.ca
Platform                      Linux atqvcs1.atqlan.agri-tracabilite.qc.ca
                              3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 13
                              10:46:25 EDT 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-11-27 10:41:55 EST
Last Seen                     2017-11-27 10:41:55 EST
Local ID                      cd93f89a-9575-4115-a862-79e5d74ef676

Raw Audit Messages
type=AVC msg=audit(1511797315.75:201934): avc:  denied  { signal } for  pid=13680 comm="pmsignal" scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=process


type=SYSCALL msg=audit(1511797315.75:201934): arch=x86_64 syscall=kill success=no exit=EACCES a0=3441 a1=1 a2=0 a3=7ffcdd807c10 items=0 ppid=13679 pid=13680 auid=4294967295 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=pmsignal exe=/usr/bin/bash subj=system_u:system_r:pcp_pmie_t:s0 key=(null)

Hash: pmsignal,pcp_pmie_t,pcp_pmcd_t,process,signal
===================================================

Comment 2 Lukas Berk 2017-11-27 17:42:31 UTC

Fixed in upstream tree, will be added to upstream

commit 03aa6b7e2c17e6d4a713f542c8e04c410f257c40
Author: Lukas Berk <lberk>
Date:   Mon Nov 27 12:35:32 2017 -0500

    selinux: RHBZ1517862 postfix context access addition
    
    add context access for postfix_spool_t dir read's
    update testcase

the pcp_pmie_t/pcp_pmcd_t rule was already added in: 

commit 531330542ee083cdb220d08ab798356a30f1dd39
Author: Lukas Berk <lberk>
Date:   Wed Apr 19 17:02:26 2017 -0400

    selinux: RHBZ1443632 missing capability for qa purposes

Comment 4 Michal Kolar 2018-02-21 09:32:16 UTC

Verified against pcp-3.12.2-5.el7.

Comment 8 errata-xmlrpc 2018-04-10 17:08:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0926

Note You need to log in before you can comment on or make changes to this bug.