RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1790450 - Installation of pcp-pmda-netcheck causes SELinux issues
Summary: Installation of pcp-pmda-netcheck causes SELinux issues
Keywords:
Status: CLOSED DUPLICATE of bug 1897719
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pcp
Version: 8.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.4
Assignee: Nathan Scott
QA Contact: Jan Kurik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-13 11:16 UTC by Jan Kurik
Modified: 2021-09-17 12:44 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-12-18 15:02:17 UTC
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jan Kurik 2020-01-13 11:16:11 UTC 
Description of problem:
Installation of pcp-pmda-netcheck PMDA on a fresh RHEL-8.2 system triggers SELinux issues.

Version-Release number of selected component (if applicable):
* pcp-pmda-netcheck-5.0.2-2.el8

How reproducible:
Always

Steps to Reproduce:
1.On a fresh RHEL-8.2 system install pcp-pmda-netcheck
# yum install -y pcp-pmda-netcheck

2. Run an installation script of the PMDA
# cd /var/lib/pcp/pmdas/netcheck/ && ./Install

3. Check SELinux reports using ausearch or audit2allow tools
# ausearch -m AVC,USER_AVC
# audit2allow -a

Actual results:
SELinux issues reported:

type=AVC msg=audit(01/09/2020 03:11:58.402:1044) : avc:  denied  { create } for  pid=9790 comm=ping scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=rawip_socket permissive=0

#============= pcp_pmcd_t ==============
allow pcp_pmcd_t self:rawip_socket create;

Expected results:
The installation and run of the PMDA does not produce any SELinux issues.
Comment 1 Nathan Scott 2020-02-19 06:10:57 UTC 
Resolved through a series of upstream commits from Marko:

commit a0d16c21a8af29e832608db635f884694cfc11f2
Author: Marko Myllynen <myllynen>
Date:   Fri Nov 8 17:30:48 2019 +0200

    pmdanetcheck: tighten SELinux rules on Fedora 31+
    
    When icmp_socket is available do not allow the previously
    used rawip_socket any more as only icmp_socket is needed.

commit d92e87ede67e5e54f797ca6383aaef77aa7c1bf0
Author: Marko Myllynen <myllynen>
Date:   Mon Nov 4 11:42:59 2019 +0200

    pmdanetcheck: Fedora 31 SELinux fix
    
    Commit 390f94e4 was incomplete as it missed the part shown after:
    
    $ sudo semodule -DB
    
    (This hint was recently added to PCP SELinux README.)

commit 390f94e4fd9f578ba3288d760411f3d642869ccb
Author: Marko Myllynen <myllynen>
Date:   Wed Oct 30 09:22:26 2019 +0200

    pmdanetcheck: Fedora 31 SELinux fix
    
    Update SELinux policy for pmdanetcheck on Fedora 31.
    
    Minor cosmetic consistency fix for easier searching included as well.

commit fdb5bd8c264cc21a9528284335662990d07b54d2
Author: Marko Myllynen <myllynen>
Date:   Thu Oct 10 18:44:52 2019 +0300

    selinux: adjust rules for pmda.netcheck
    
    PMDA and QA 1160 fails without this, revealed after running semodule -DB.

commit 09dbd6fc8743bd9b24b97893f1a4183d01f2c263
Author: Marko Myllynen <myllynen>
Date:   Thu Oct 10 00:28:29 2019 +0300

    selinux: make icmp_socket optional, not present on RHEL 6
    
    Update QA 917 to match the current status as well, also remove
    an older debugging leftover.

commit 2d6a4b6a25cf57c4b8577acfce7ca863a92e002f
Author: Marko Myllynen <myllynen>
Date:   Wed Oct 2 13:20:37 2019 +0300

    selinux: final pmda.netcheck addition
    
    Follow-up of commit 9bf7d8fd and commit cd9a1d4d, this was seen on F30.

commit 9bf7d8fde79005a6ce22889ae9b7cf68db66df59
Author: Marko Myllynen <myllynen>
Date:   Wed Oct 2 13:49:29 2019 +1000

    selinux: add policy rules for pmdanetcheck
    
    PMDA netcheck uses ping(1) to check the status of monitored
    hosts, this requires new SELinux rules. It could be possible
    to create a pure Python implementation which would only hit
    the following (based on testing with rudimentary test code):
    
    avc:  denied  { connect }
    avc:  denied  { create }
    avc:  denied  { net_raw }
    avc:  denied  { setopt }
    
    However, there seems to be no existing and maintained Python
    module that would match ping(1) functionality and cases like
    https://android.googlesource.com/kernel/tests/+/master/net/test/ping6_test.py
    hint that having a reliable Python ping module might turn
    into a more involved effort than the whole PMDA itself.
    
    Using ping(1) the above connect AVC is not seen but these are
    appearing instead:
    
    avc:  denied  { execute }
    avc:  denied  { execute_no_trans }
    avc:  denied  { getopt }
    avc:  denied  { map }
    avc:  denied  { setcap }
    
    This commit updates the PCP SELinux policy to allow these to
    allow doing network checks by calling ping(1) from PMDA netcheck.
    
    Ideally, these could be separated as per-PMDA booleans or rules
    as per https://github.com/performancecopilot/pcp/issues/388 but
    for the time being we use the same approach as before.
Comment 3 Nathan Scott 2020-04-21 00:28:33 UTC 
This will be resolved by rebase to pcp-5.1.x

*** This bug has been marked as a duplicate of bug 1792971 ***
Comment 4 Jan Kurik 2020-06-12 15:18:54 UTC 
This issue still persist in pcp-5.1.1-2.el8 build.
Comment 7 Marko Myllynen 2020-09-04 14:29:17 UTC 
I tried to reproduce this with

pcp-pmda-netcheck-5.0.2-5.el8.x86_64
pcp-selinux-5.0.2-5.el8.x86_64
pcp-5.0.2-5.el8.x86_64
kernel-4.18.0-193.14.3.el8_2.x86_64
selinux-policy-targeted-3.14.3-41.el8_2.5.noarch

but I don't see any AVCs after installing and using the netcheck PMDA.

Could you perhaps try again with everything up-to-date and see if this still reproduces for you?

Thanks.
Comment 9 Jan Kurik 2020-09-04 19:29:22 UTC 
(In reply to Marko Myllynen from comment #7)
> Could you perhaps try again with everything up-to-date and see if this still
> reproduces for you?


Yes, I can still reproduce the issue on the latest RHEL-8.2.1 release.

* pcp-pmda-netcheck-5.0.2-5.el8.x86_64
* pcp-selinux-5.0.2-5.el8.x86_64
* pcp-5.0.2-5.el8.x86_64
* kernel-4.18.0-193.13.2.el8_2.x86_64
* selinux-policy-targeted-3.14.3-41.el8_2.5.noarch
Comment 10 Marko Myllynen 2020-09-07 07:40:15 UTC 
Ok, I tried on a freshly spinned RHEL 8 VM and was also able to reproduce with these versions:

pcp-pmda-netcheck-5.1.1-3.el8.x86_64
pcp-selinux-5.1.1-3.el8.x86_64
pcp-5.1.1-3.el8.x86_64
kernel-4.18.0-234.el8.x86_64
selinux-policy-targeted-3.14.3-53.el8.noarch

However, when building pcp git master on latest RHEL 8 and updating [*] to the latest PCP version (so upcoming PCP 5.2.1) this works. But curiously enough the related PCP SELinux changes are already included in PCP 5.1.1.

I think we saw some unexpected failures on earlier RHEL 8 versions when building PCP so either PCP 5.2 has a fix that helps and I am unaware of or there was an issue with earlier RHEL 8 kernel/selinux versions that since then has been fixed. I'm not sure is any of you in a position to try to rebuild latest PCP version in Koji on the latest RHEL 8 so see does that already help? In any case, it looks like code-wise latest pcp git master is already ok and we'd need to figure out the needed build/version for RHEL 8 to address this issue.

*) I noticed when updating from PCP 5.1.1 to PCP 5.2.1 I had to manually to restart pmcd after the update to make the PMDA to work, perhaps it would be a matter of a separate BZ why such a manual restart was required.

Thanks.
Comment 12 Jan Kurik 2020-11-02 14:07:38 UTC 
Fixed in rebase to pcp-5.2.1-2.el8 build.
Comment 15 Jan Kurik 2020-12-18 12:59:05 UTC 
This issue has re-occurred in pcp-5.2.3-1.el8 build.
Comment 16 Jan Kurik 2020-12-18 15:02:17 UTC 

*** This bug has been marked as a duplicate of bug 1897719 ***
Note You need to log in before you can comment on or make changes to this bug.