Description of problem: type=AVC msg=audit(1521538176.491:1898): avc: denied { add_name } for pid=28227 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1521538176.491:1898): avc: denied { create } for pid=28227 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1521538176.491:1898): avc: denied { write open } for pid=28227 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=423477 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file Version-Release number of selected component (if applicable): collectd-5.8.0-5 with collectd-rdt plugin, see https://bugzilla.redhat.com/show_bug.cgi?id=1409844#c24 How reproducible: 100% putting selinux into permisive, it works. This happens in osp10 - osp 13 and is required in all versions, since collectd 5.8 is being backported to OSP 10 - OSP 13 Additional info:
The file needs a default label - is it just /run/lock/libpqos ?
type=AVC msg=audit(1521626242.055:83): avc: denied { read } for pid=1443 comm="collectd" name="lock" d ev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclas s=lnk_file type=AVC msg=audit(1521626242.055:83): avc: denied { write } for pid=1443 comm="collectd" name="lock" dev="tmpfs" ino=9300 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc lass=dir type=AVC msg=audit(1521626242.055:83): avc: denied { add_name } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir type=AVC msg=audit(1521626242.055:83): avc: denied { create } for pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1521626242.055:83): avc: denied { write open } for pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1521626242.055:83): arch=c000003e syscall=2 success=yes exit=3 a0=7f42361aa28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=PROCTITLE msg=audit(1521626242.055:83): proctitle="/usr/sbin/collectd" type=AVC msg=audit(1521626242.055:84): avc: denied { lock } for pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1521626242.055:84): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffe7a755a50 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=PROCTITLE msg=audit(1521626242.055:84): proctitle="/usr/sbin/collectd" type=SERVICE_START msg=audit(1521626242.059:85): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xinetd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1521629666.167:1293): avc: denied { read } for pid=20204 comm="collectd" name="lock " dev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc lass=lnk_file type=AVC msg=audit(1521629666.167:1293): avc: denied { write } for pid=20204 comm="collectd" name="libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=AVC msg=audit(1521629666.167:1293): avc: denied { open } for pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1521629666.167:1293): arch=c000003e syscall=2 success=yes exit=3 a0=7efccfded28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=PROCTITLE msg=audit(1521629666.167:1293): proctitle="/usr/sbin/collectd" type=AVC msg=audit(1521629666.168:1294): avc: denied { lock } for pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file type=SYSCALL msg=audit(1521629666.168:1294): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffdf47bf200 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) type=PROCTITLE msg=audit(1521629666.168:1294): proctitle="/usr/sbin/collectd" type=AVC msg=audit(1521629666.169:1295): avc: denied { read write } for pid=20204 comm="collectd" name="msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file type=AVC msg=audit(1521629666.169:1295): avc: denied { open } for pid=20204 comm="collectd" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file type=AVC msg=audit(1521629666.169:1295): avc: denied { sys_rawio } for pid=20204 comm="collectd" capability=17 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capab
... and this is all from the 5.8.0 rebase. The raw audit2allow output on F27 is: allow collectd_t cpu_device_t:chr_file { open read write }; allow collectd_t self:capability sys_rawio; allow collectd_t var_lock_t:dir add_name; allow collectd_t var_lock_t:file { create lock open write }; ... meaning Fedora is out of date. I'll see where selinux-policy on github is.
Fedora just disables inte- rdt plugin: https://src.fedoraproject.org/rpms/collectd/blob/master/f/collectd.spec#_699
https://github.com/redhat-openstack/openstack-selinux/commit/f1e1448f18e8d76d6b765027f798284d5c474391
0.8.14-1 has /usr/share/openstack-selinux/0.8.14/tests/bz1558465; and all regression tests based on AVCs passed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086