Description of problem: The write_prometheus plugin of collectd fails to start. Checking audit.log, it looks like SELinux is preventing collectd to listen on port 9103. Version-Release number of selected component (if applicable): Kernel: 4.16.9-300.fc28.x86_64 collectd: 5.8.0-8.fc28 collectd-write_prometheus: 5.8.0-8.fc28 How reproducible: Always Steps to Reproduce: 1. Install the following packages: collectd collectd-write_prometheus 2. Update /etc/collectd.conf to enable the write_prometheus plugin. LoadPlugin syslog LoadPlugin cpu LoadPlugin interface LoadPlugin load LoadPlugin memory LoadPlugin write_prometheus <Plugin write_prometheus> Port "9103" </Plugin> Include "/etc/collectd.d" 3. Start collectd. Actual results: collectd doesn't expose any metric on port 9103. The collectd logs show that the service fails to bind on port 9103. Jun 13 14:27:07 localhost.localdomain collectd[23781]: plugin_load: plugin "memory" successfully loaded. Jun 13 14:27:07 localhost.localdomain collectd[23781]: plugin_load: plugin "write_prometheus" successfully loaded. Jun 13 14:27:07 localhost.localdomain collectd[23781]: Systemd detected, trying to signal readyness. Jun 13 14:27:07 localhost.localdomain collectd[23781]: write_prometheus plugin: Opening a listening socket failed. Jun 13 14:27:07 localhost.localdomain collectd[23781]: write_prometheus plugin: MHD_start_daemon() failed. Jun 13 14:27:07 localhost.localdomain collectd[23781]: Initialization of plugin `write_prometheus' failed with status -1. Plugin will be unloaded. Jun 13 14:27:07 localhost.localdomain collectd[23781]: plugin_unregister_read: No such read function: write_prometheus Jun 13 14:27:07 localhost.localdomain systemd[1]: Started Collectd statistics daemon. Jun 13 14:27:07 localhost.localdomain collectd[23781]: Error: one or more plugin init callbacks failed. Jun 13 14:27:07 localhost.localdomain collectd[23781]: Initialization complete, entering read-loop. And audit.log reports the AVC denial: type=AVC msg=audit(1528892827.529:234): avc: denied { name_bind } for pid=23781 comm="collectd" src=9103 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:bacula_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1528892827.529:235): avc: denied { name_bind } for pid=23781 comm="collectd" src=9103 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:bacula_port_t:s0 tclass=tcp_socket permissive=0 Expected results: The write_prometheus plugin should start and serve the metrics on port 9103. Additional info: I'm not sure whether this bug should be filed against SELinux or collectd. Feel free to redirect.
selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b
selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.