Bug 1558465 – [OSP13] Collectd 5.8 SELinux denials

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1558465 - [OSP13] Collectd 5.8 SELinux denials

Summary:	[OSP13] Collectd 5.8 SELinux denials

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux (Show other bugs)
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified Unspecified

Priority	high Severity high
Target Milestone:	beta
Target Release:	13.0 (Queens)
Assigned To:	Lon Hohberger
QA Contact:	Udi Shkalim
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:
Blocks:	1409844 1559557 1559558 1559559
	Show dependency tree / graph

Reported:	2018-03-20 05:38 EDT by Matthias Runge
Modified:	2018-06-27 09:49 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	openstack-selinux-0.8.14-1.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Clones:	1559557 1559558 1559559 (view as bug list)
Environment:
Last Closed:	2018-06-27 09:47:45 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2018:2086	None	None	None	2018-06-27 09:49 EDT

Groups: None (edit)

Description Matthias Runge 2018-03-20 05:38:13 EDT

Description of problem:

type=AVC msg=audit(1521538176.491:1898): avc:  denied  { add_name } for  pid=28227 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1521538176.491:1898): avc:  denied  { create } for  pid=28227 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1521538176.491:1898): avc:  denied  { write open } for  pid=28227 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=423477 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file

Version-Release number of selected component (if applicable):
collectd-5.8.0-5 with collectd-rdt plugin, see https://bugzilla.redhat.com/show_bug.cgi?id=1409844#c24

How reproducible:
100%

putting selinux into permisive, it works.


This happens in osp10 - osp 13 and is required in all versions, since collectd 5.8 is being backported to OSP 10 - OSP 13

Additional info:

Comment 3 Lon Hohberger 2018-03-21 11:05:21 EDT

The file needs a default label - is it just /run/lock/libpqos ?

Comment 4 Matthias Runge 2018-03-21 11:27:45 EDT

type=AVC msg=audit(1521626242.055:83): avc:  denied  { read } for  pid=1443 comm="collectd" name="lock" d
ev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclas
s=lnk_file
type=AVC msg=audit(1521626242.055:83): avc:  denied  { write } for  pid=1443 comm="collectd" name="lock" 
dev="tmpfs" ino=9300 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc
lass=dir
type=AVC msg=audit(1521626242.055:83): avc:  denied  { add_name } for  pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1521626242.055:83): avc:  denied  { create } for  pid=1443 comm="collectd" name="libpqos" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1521626242.055:83): avc:  denied  { write open } for  pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521626242.055:83): arch=c000003e syscall=2 success=yes exit=3 a0=7f42361aa28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521626242.055:83): proctitle="/usr/sbin/collectd"
type=AVC msg=audit(1521626242.055:84): avc:  denied  { lock } for  pid=1443 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521626242.055:84): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffe7a755a50 a3=73 items=0 ppid=1 pid=1443 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521626242.055:84): proctitle="/usr/sbin/collectd"
type=SERVICE_START msg=audit(1521626242.059:85): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=xinetd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1521629666.167:1293): avc:  denied  { read } for  pid=20204 comm="collectd" name="lock
" dev="dm-3" ino=137 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tc
lass=lnk_file
type=AVC msg=audit(1521629666.167:1293): avc:  denied  { write } for  pid=20204 comm="collectd" name="libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1521629666.167:1293): avc:  denied  { open } for  pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521629666.167:1293): arch=c000003e syscall=2 success=yes exit=3 a0=7efccfded28f a1=41 a2=1a4 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521629666.167:1293): proctitle="/usr/sbin/collectd"
type=AVC msg=audit(1521629666.168:1294): avc:  denied  { lock } for  pid=20204 comm="collectd" path="/run/lock/libpqos" dev="tmpfs" ino=23152 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=SYSCALL msg=audit(1521629666.168:1294): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=7 a2=7ffdf47bf200 a3=73 items=0 ppid=1 pid=20204 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521629666.168:1294): proctitle="/usr/sbin/collectd"
type=AVC msg=audit(1521629666.169:1295): avc:  denied  { read write } for  pid=20204 comm="collectd" name="msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
type=AVC msg=audit(1521629666.169:1295): avc:  denied  { open } for  pid=20204 comm="collectd" path="/dev/cpu/0/msr" dev="devtmpfs" ino=1108 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:cpu_device_t:s0 tclass=chr_file
type=AVC msg=audit(1521629666.169:1295): avc:  denied  { sys_rawio } for  pid=20204 comm="collectd" capability=17  scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capab

Comment 5 Lon Hohberger 2018-03-21 15:10:04 EDT

... and this is all from the 5.8.0 rebase.

The raw audit2allow output on F27 is:

allow collectd_t cpu_device_t:chr_file { open read write };
allow collectd_t self:capability sys_rawio;
allow collectd_t var_lock_t:dir add_name;
allow collectd_t var_lock_t:file { create lock open write };

... meaning Fedora is out of date. I'll see where selinux-policy on github is.

Comment 6 Matthias Runge 2018-03-21 16:52:00 EDT

Fedora just disables inte- rdt plugin: https://src.fedoraproject.org/rpms/collectd/blob/master/f/collectd.spec#_699

Comment 11 Lon Hohberger 2018-03-23 10:54:46 EDT

https://github.com/redhat-openstack/openstack-selinux/commit/f1e1448f18e8d76d6b765027f798284d5c474391

Comment 14 Lon Hohberger 2018-05-10 14:15:25 EDT

0.8.14-1 has /usr/share/openstack-selinux/0.8.14/tests/bz1558465; and all regression tests based on AVCs passed.

Comment 16 errata-xmlrpc 2018-06-27 09:47:45 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.