1558708 – selinux blocks pmdagluster

Bug 1558708 - selinux blocks pmdagluster

Summary: selinux blocks pmdagluster

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pcp
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Berk
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-20 20:44 UTC by Frank Ch. Eigler
Modified:	2018-04-06 15:02 UTC (History)
CC List:	7 users (show)
Fixed In Version:	pcp-4.0.1-1 pcp-4.0.1-1.fc28 pcp-4.0.1-1.fc26 pcp-4.0.1-1.fc27
Clone Of:
Environment:
Last Closed:	2018-04-03 13:27:01 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Frank Ch. Eigler 2018-03-20 20:44:14 UTC

git master-ish pcp.  Another illustration that many pmdas have diverse needs to connect to things, and probably should just become unconstrained.

type=AVC msg=audit(1521578046.908:119687): avc:  denied  { read } for  pid=24448 comm="gluster" name="cli.log" dev="xvda2" ino=25217888 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:glusterd_log_t:s0 tclass=file
type=AVC msg=audit(1521578046.908:119687): avc:  denied  { open } for  pid=24448 comm="gluster" path="/var/log/glusterfs/cli.log" dev="xvda2" ino=25217888 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:glusterd_log_t:s0 tclass=file
type=SYSCALL msg=audit(1521578046.908:119687): arch=c000003e syscall=2 success=yes exit=5 a0=5582506be75c a1=40 a2=180 a3=676f6c2f7261762f items=0 ppid=24426 pid=24448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1521578046.908:119687): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=AVC msg=audit(1521578046.913:119688): avc:  denied  { connectto } for  pid=24448 comm="gluster" path="/run/glusterd.socket" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1521578046.913:119688): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=5582512773b8 a2=6e a3=0 items=0 ppid=24426 pid=24448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)

Comment 1 Fedora Update System 2018-03-29 03:34:40 UTC

pcp-4.0.1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-67ae01df6c

Comment 2 Fedora Update System 2018-03-29 03:36:33 UTC

pcp-4.0.1-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e0d3cdb266

Comment 3 Fedora Update System 2018-03-29 03:37:34 UTC

pcp-4.0.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a88bef9929

Comment 4 Fedora Update System 2018-03-29 13:58:03 UTC

pcp-4.0.1-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-67ae01df6c

Comment 5 Fedora Update System 2018-03-29 16:48:22 UTC

pcp-4.0.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a88bef9929

Comment 6 Fedora Update System 2018-03-29 17:58:09 UTC

pcp-4.0.1-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e0d3cdb266

Comment 7 Fedora Update System 2018-04-03 13:27:01 UTC

pcp-4.0.1-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 John Strunk 2018-04-04 18:02:37 UTC

Looks like there are still issues:

type=USER_CMD msg=audit(1522864273.965:12946): pid=10809 uid=1001 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/var/lib/pcp/pmdas/gluster" cmd="./In
stall" terminal=pts/0 res=success'
type=CRED_REFR msg=audit(1522864273.966:12947): pid=10809 uid=0 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acc
t="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=USER_START msg=audit(1522864273.966:12948): pid=10809 uid=0 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pa
m_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=AVC msg=audit(1522864277.592:12949): avc:  denied  { search } for  pid=11056 comm="gluster" name="glusterfs" dev="vda1" ino=21177864 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864277.592:12949): arch=c000003e syscall=4 success=no exit=-13 a0=7f7c662f3551 a1=7ffc81bfb9e0 a2=7ffc81bfb9e0 a3=9 items=0 ppid=11034 pid=11056 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864277.592:12949): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=AVC msg=audit(1522864277.592:12950): avc:  denied  { search } for  pid=11056 comm="gluster" name="glusterfs" dev="vda1" ino=8523839 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864277.592:12950): arch=c000003e syscall=2 success=no exit=-13 a0=55a896a5875c a1=40 a2=180 a3=1 items=0 ppid=11034 pid=11056 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864277.592:12950): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=USER_END msg=audit(1522864277.606:12951): pid=10809 uid=0 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=CRED_DISP msg=audit(1522864277.606:12952): pid=10809 uid=0 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=AVC msg=audit(1522864288.225:12953): avc:  denied  { search } for  pid=11060 comm="gluster" name="glusterfs" dev="vda1" ino=21177864 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864288.225:12953): arch=c000003e syscall=4 success=no exit=-13 a0=7f6ff104a551 a1=7fffd6b11d70 a2=7fffd6b11d70 a3=9 items=0 ppid=11034 pid=11060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864288.225:12953): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=AVC msg=audit(1522864288.225:12954): avc:  denied  { search } for  pid=11060 comm="gluster" name="glusterfs" dev="vda1" ino=8523839 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864288.225:12954): arch=c000003e syscall=2 success=no exit=-13 a0=555b6fd7075c a1=40 a2=180 a3=1 items=0 ppid=11034 pid=11060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864288.225:12954): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=AVC msg=audit(1522864288.260:12955): avc:  denied  { search } for  pid=11062 comm="gluster" name="glusterfs" dev="vda1" ino=21177864 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864288.260:12955): arch=c000003e syscall=4 success=no exit=-13 a0=7fe44f895551 a1=7ffec6454540 a2=7ffec6454540 a3=9 items=0 ppid=11034 pid=11062 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864288.260:12955): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=AVC msg=audit(1522864288.260:12956): avc:  denied  { search } for  pid=11062 comm="gluster" name="glusterfs" dev="vda1" ino=8523839 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864288.260:12956): arch=c000003e syscall=2 success=no exit=-13 a0=5567e7ec375c a1=40 a2=180 a3=1 items=0 ppid=11034 pid=11062 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864288.260:12956): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=USER_CMD msg=audit(1522864295.839:12957): pid=11064 uid=1001 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/var/lib/pcp/pmdas/gluster" cmd=677265702064656E696564202F7661722F6C6F672F61756469742F61756469742E6C6F67 terminal=pts/0 res=success'

Using:
$ rpm -qa | grep pcp
python-pcp-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-libs-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-selinux-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-pmda-dm-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-pmda-gluster-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-conf-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-system-tools-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64

Comment 9 Lukas Berk 2018-04-04 19:15:47 UTC

Thanks, I've pushed a fix upstream for the additional AVC denials

commit 7b87d011baa1cab70abfbbc83fa970d10c146253 (HEAD -> master, origin/master, origin/HEAD)
Author: Lukas Berk <lberk>
Date:   Wed Apr 4 15:12:44 2018 -0400

    rhbz1558708 further policy and qa updates
    
    Add glusterd_log_t:dir { search }
    Add glusterd_conf_t:dir { search }

Comment 10 Fedora Update System 2018-04-06 14:37:10 UTC

pcp-4.0.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2018-04-06 15:02:02 UTC

pcp-4.0.1-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.