Bug 1590830 - collectd write_prometheus plugin fails to start due to SELinux restrictions
Summary: collectd write_prometheus plugin fails to start due to SELinux restrictions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-13 12:51 UTC by Simon Pasquier
Modified: 2018-07-29 03:22 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.1-36.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-29 03:22:01 UTC
Type: Bug


Attachments (Terms of Use)

Description Simon Pasquier 2018-06-13 12:51:28 UTC
Description of problem:

The write_prometheus plugin of collectd fails to start. Checking audit.log, it looks like SELinux is preventing collectd to listen on port 9103.

Version-Release number of selected component (if applicable):

Kernel: 4.16.9-300.fc28.x86_64
collectd: 5.8.0-8.fc28
collectd-write_prometheus: 5.8.0-8.fc28

How reproducible:

Always

Steps to Reproduce:

1. Install the following packages: collectd collectd-write_prometheus
2. Update /etc/collectd.conf to enable the write_prometheus plugin.
  LoadPlugin syslog
  LoadPlugin cpu
  LoadPlugin interface
  LoadPlugin load
  LoadPlugin memory
  LoadPlugin write_prometheus
  <Plugin write_prometheus>
        Port "9103"
  </Plugin>
  Include "/etc/collectd.d"
3. Start collectd.

Actual results:

collectd doesn't expose any metric on port 9103. The collectd logs show that the service fails to bind on port 9103.

Jun 13 14:27:07 localhost.localdomain collectd[23781]: plugin_load: plugin "memory" successfully loaded.
Jun 13 14:27:07 localhost.localdomain collectd[23781]: plugin_load: plugin "write_prometheus" successfully loaded.
Jun 13 14:27:07 localhost.localdomain collectd[23781]: Systemd detected, trying to signal readyness.
Jun 13 14:27:07 localhost.localdomain collectd[23781]: write_prometheus plugin: Opening a listening socket failed.
Jun 13 14:27:07 localhost.localdomain collectd[23781]: write_prometheus plugin: MHD_start_daemon() failed.
Jun 13 14:27:07 localhost.localdomain collectd[23781]: Initialization of plugin `write_prometheus' failed with status -1. Plugin will be unloaded.
Jun 13 14:27:07 localhost.localdomain collectd[23781]: plugin_unregister_read: No such read function: write_prometheus
Jun 13 14:27:07 localhost.localdomain systemd[1]: Started Collectd statistics daemon.
Jun 13 14:27:07 localhost.localdomain collectd[23781]: Error: one or more plugin init callbacks failed.
Jun 13 14:27:07 localhost.localdomain collectd[23781]: Initialization complete, entering read-loop.

And audit.log reports the AVC denial:

type=AVC msg=audit(1528892827.529:234): avc:  denied  { name_bind } for  pid=23781 comm="collectd" src=9103 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:bacula_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1528892827.529:235): avc:  denied  { name_bind } for  pid=23781 comm="collectd" src=9103 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:bacula_port_t:s0 tclass=tcp_socket permissive=0


Expected results:

The write_prometheus plugin should start and serve the metrics on port 9103.

Additional info:

I'm not sure whether this bug should be filed against SELinux or collectd. Feel free to redirect.

Comment 1 Fedora Update System 2018-07-25 22:27:31 UTC
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 2 Fedora Update System 2018-07-26 16:30:01 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b

Comment 3 Fedora Update System 2018-07-29 03:22:01 UTC
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.