1622253 – pcp-pmda-named does not work due to selinux blocking perl access to /var/named/data/named_stats.txt

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1622253 - pcp-pmda-named does not work due to selinux blocking perl access to /var/named/data/named_stats.txt

Summary: pcp-pmda-named does not work due to selinux blocking perl access to /var/name...

Keywords:
Status:	CLOSED DUPLICATE of bug 1647308
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pcp
Sub Component:
Version:	7.5
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	pcp-maint
QA Contact:	qe-baseos-tools-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:	1647308
Blocks:	1594286
TreeView+	depends on / blocked

Reported:	2018-08-24 22:23 UTC by Chris Cheney
Modified:	2022-03-13 15:27 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-04 00:22:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Chris Cheney 2018-08-24 22:23:41 UTC

From customer case description:

Installed pcp pcp-pmda-named to trouble shoot some DNS questions.
the selinux logs complained on perl access to the /var/named/data/named_stats.txt and rndc binary

alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/perl from search access on the directory /var/named/data/named_stats.txt.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/named/data/named_stats.txt default label should be named_cache_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/named/data/named_stats.txt

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that perl should be allowed search access on the named_stats.txt directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'perl' --raw | audit2allow -M my-perl
# semodule -i my-perl.pp


Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:named_zone_t:s0
Target Objects                /var/named/data/named_stats.txt [ dir ]
Source                        perl
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           perl-5.16.3-292.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-192.el7_5.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (redacted)
Platform                      Linux (redacted)
                              3.10.0-862.9.1.el7.x86_64 #1 SMP Wed Jun 27
                              04:30:39 EDT 2018 x86_64 x86_64
Alert Count                   4
First Seen                    2018-07-25 11:31:45 MDT
Last Seen                     2018-07-25 11:36:14 MDT
Local ID                      5ac8394c-b8fd-4b8b-b114-a451e9e6fad7

Raw Audit Messages
type=AVC msg=audit(1532540174.341:22480): avc:  denied  { search } for  pid=25668 comm="perl" name="named" dev="dm-3" ino=2128175 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir


type=SYSCALL msg=audit(1532540174.341:22480): arch=x86_64 syscall=stat success=no exit=EACCES a0=1204660 a1=11ce138 a2=11ce138 a3=6d616e2f7261762f items=1 ppid=19869 pid=25668 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)

type=CWD msg=audit(1532540174.341:22480): cwd=/var/log/pcp/pmcd

type=PATH msg=audit(1532540174.341:22480): item=0 name=/var/named/data/named_stats.txt objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: perl,pcp_pmcd_t,named_zone_t,dir,search


SELinux is preventing /usr/bin/perl from 'read, open' accesses on the file /usr/sbin/rndc.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that perl should be allowed read open access on the rndc file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'perl' --raw | audit2allow -M my-perl
# semodule -i my-perl.pp


Additional Information:
Source Context                system_u:system_r:pcp_pmcd_t:s0
Target Context                system_u:object_r:ndc_exec_t:s0
Target Objects                /usr/sbin/rndc [ file ]
Source                        perl
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           perl-5.16.3-292.el7.x86_64
Target RPM Packages           bind-9.9.4-61.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-192.el7_5.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (redacted)
Platform                      Linux (redacted)
                              3.10.0-862.9.1.el7.x86_64 #1 SMP Wed Jun 27
                              04:30:39 EDT 2018 x86_64 x86_64
Alert Count                   9
First Seen                    2018-07-25 11:49:49 MDT
Last Seen                     2018-07-25 11:51:02 MDT
Local ID                      408ab5d1-d8a0-4a96-8394-59dc9bbf0eab

Raw Audit Messages
type=AVC msg=audit(1532541062.782:32023): avc:  denied  { read open } for  pid=30511 comm="perl" path="/usr/sbin/rndc" dev="dm-0" ino=9699441 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ndc_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1532541062.782:32023): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff46e8b2dd a1=23358e0 a2=231a1f0 a3=7fff46e8ade0 items=1 ppid=29837 pid=30511 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)

type=CWD msg=audit(1532541062.782:32023): cwd=/var/log/pcp/pmcd

type=PATH msg=audit(1532541062.782:32023): item=0 name=/usr/sbin/rndc inode=9699441 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ndc_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: perl,pcp_pmcd_t,ndc_exec_t,file,read,open

---

Additionally TSE has reproduced the same problem in house:

I tested reproducing the customers steps in the case description. I can reproduce the denial, and confirm that the setroubleshoot recommendation of a blanket perl module (probably not a good idea anyways) still yields these denials, even after being loaded:

Aug 14 20:24:01 r74 setroubleshoot: SELinux is preventing /usr/bin/perl from search access on the directory data. For complete SELinux messages run: sealert -l f14ac5f9-d425-4490-93d0-e47337ef1408
Aug 14 20:24:01 r74 python: SELinux is preventing /usr/bin/perl from search access on the directory data.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that perl should be allowed search access on the data directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'perl' --raw | audit2allow -M my-perl#012# semodule -i my-perl.pp#012
Aug 14 20:24:01 r74 setroubleshoot: SELinux is preventing /usr/bin/perl from search access on the directory data. For complete SELinux messages run: sealert -l f14ac5f9-d425-4490-93d0-e47337ef1408
Aug 14 20:24:01 r74 python: SELinux is preventing /usr/bin/perl from search access on the directory data.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that perl should be allowed search access on the data directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'perl' --raw | audit2allow -M my-perl#012# semodule -i my-perl.pp#012


Version-Release number of selected component (if applicable):

3.12.2-5

Comment 2 Lukas Berk 2018-09-07 12:23:55 UTC

Fixed upstream in commit:
commit 7e7203c27c03c20a2cadcb75b8d351da0a11ec1a
Author: Lukas Berk <lberk>
Date:   Thu Sep 6 18:27:36 2018 -0400

    selinux: RHBZ1622253 pmdanamed avc denials

Comment 3 Nathan Scott 2019-03-04 00:22:27 UTC

Fixed by rebase in 7.7

*** This bug has been marked as a duplicate of bug 1647308 ***

Note You need to log in before you can comment on or make changes to this bug.