Bug 1810458 - Selinux is blocking pmlogger, pcp and pmie
Summary: Selinux is blocking pmlogger, pcp and pmie
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pcp
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Mark Goodwin
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-05 10:06 UTC by Matej Marušák
Modified: 2020-03-20 01:47 UTC (History)
5 users (show)

Fixed In Version: pcp-5.0.3-3.fc31
Clone Of:
Environment:
Last Closed: 2020-03-20 01:47:42 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Matej Marušák 2020-03-05 10:06:50 UTC 
Description of problem:
Starting pmlogger ends up with bunch of AVCs on the newest update of Fedora-32.

Version-Release number of selected component (if applicable):
pcp-5.0.3-2.fc32.x86_64
selinux-policy-3.14.5-28.fc32.noarch

Steps to Reproduce:
1. systemctl restart pmlogger

Actual results:
journal shows bunch of problems and AVCs. Some interesting ones:
```
Mar 05 03:12:33 m1.cockpit.lan systemd[1]: Started Performance Metrics Archive Logger.

Mar 05 03:12:46 m1.cockpit.lan systemd[1]: pmie.service: start operation timed out. Terminating.
Mar 05 03:12:46 m1.cockpit.lan systemd[1]: pmie.service: Failed with result 'timeout'.
Mar 05 03:12:46 m1.cockpit.lan systemd[1]: Failed to start Performance Metrics Inference Engine.

audit: type=1400 audit(1583395966.676:254): avc:  denied  { dac_override } for  pid=13860 comm="touch" capability=1  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0

audit: type=1400 audit(1583395966.682:255): avc:  denied  { dac_override } for  pid=13837 comm="pmie_check" capability=1 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0

audit: type=1400 audit(1583300065.711:269): avc:  denied  { fsetid } for  pid=7234 comm="xz" capability=4  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0
                                                                                
audit: type=1400 audit(1583301709.843:138): avc:  denied  { fsetid } for  pid=1107 comm="cp" capability=4  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:s0 tclass=capability permissive=0

audit: type=1400 audit(1583300599.370:1191): avc:  denied  { dac_override } for  pid=36785 comm="mv" capability=1  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0

audit: type=1400 audit(1583299690.008:322): avc:  denied  { read } for  pid=22496 comm="runlevel" name="utmp" dev="tmpfs" ino=15019 context=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0

```

I assume that they all are related to pcp/pmie/pmlogger. Please correct me if I am wrong.


Expected results:
No such AVCs.
Comment 1 Mark Goodwin 2020-03-05 22:31:16 UTC 
Initial triage -

After installing f32 nightly (Fedora-32-20200304.n.0) + pcp-5.0.3-2 and started pmcd, pmlogger, pmproxy and pmie services. The pmcd and pmlogger services started OK, but pmie and pmproxy both failed due to new AVCs.

There is one new AVC for pmlogger :

[root@f32]# grep '^type=AVC.*pcp_pmlogger' /var/log/audit/audit.log
type=AVC msg=audit(1583444653.539:299): avc:  denied  { fsetid } for  pid=10823 comm="cp" capability=4  scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:system_r:pcp_pmlogger_t:

And a heap of new denials for pmie (especially new dac_override) :

[root@f32]# grep '^type=AVC.*pcp_pmie' /var/log/audit/audit.log
type=AVC msg=audit(1583444653.598:300): avc:  denied  { read } for  pid=10928 comm="runlevel" name="utmp" dev="tmpfs" ino=15698 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1583444653.606:301): avc:  denied  { read } for  pid=10928 comm="runlevel" name="utmp" dev="tmpfs" ino=15698 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1583444653.662:302): avc:  denied  { dac_override } for  pid=11052 comm="cp" capability=1  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583444653.663:303): avc:  denied  { dac_override } for  pid=11053 comm="rm" capability=1  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583444653.672:304): avc:  denied  { dac_override } for  pid=11071 comm="touch" capability=1  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583444653.673:305): avc:  denied  { fowner } for  pid=11071 comm="touch" capability=3  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583444653.673:306): avc:  denied  { dac_override } for  pid=11071 comm="touch" capability=1  scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:system_r:pcp_pmie_t:s0 tclass=capability permissive=0
... etc

pmproxy also failed to start:

[root@f32 ~]# grep '^type=AVC.*pcp_pmproxy' /var/log/audit/audit.log
type=AVC msg=audit(1583446754.093:636): avc:  denied  { dac_override } for  pid=25841 comm="pmproxy" capability=1  scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583446754.094:637): avc:  denied  { read } for  pid=25842 comm="pmproxy" name="disable_ipv6" dev="proc" ino=43644 scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
type=AVC msg=audit(1583446754.095:638): avc:  denied  { dac_override } for  pid=25842 comm="pmproxy" capability=1  scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583446754.095:639): avc:  denied  { dac_override } for  pid=25842 comm="pmproxy" capability=1  scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583446754.096:640): avc:  denied  { dac_override } for  pid=25842 comm="pmproxy" capability=1  scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1583446754.342:644): avc:  denied  { dac_override } for  pid=25892 comm="pmproxy" capability=1  scontext=system_u:system_r:pcp_pmproxy_t:s0 tcontext=system_u:system_r:pcp_pmproxy_t:s0 tclass=capability permissive=0
... etc

None of these are issues on current f31 with pcp-5.0.3 so I guess in f32 the policies have been tightened up considerably.
Comment 2 Matej Marušák 2020-03-07 09:24:30 UTC 
One more related AVC: (I cannot find how to edit my previous message):

audit: type=1400 audit(1583507439.889:326): avc:  denied  { search } for  pid=2880 comm="pmdalinux" name="/" dev="nfsd" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0
Comment 3 Mark Goodwin 2020-03-10 00:12:19 UTC 
Running: sudo semodule --list=full | grep pcpupstream
returns nothing. So the module is not installed. This is supposed to be installed with a %postop on the pcp-selinux package.

Trying to install it manually results in an error:

[mgoodwin@f32 ~]$ sudo sh -x /usr/libexec/pcp/bin/selinux-setup /var/lib/pcp/selinux install pcpupstream
+ trap 'exit 0' 0 1 2 3 15
++ basename /usr/libexec/pcp/bin/selinux-setup
+ prog=selinux-setup
+ '[' 3 -lt 3 ']'
+ test -x /usr/sbin/selinuxenabled
+ test -x /usr/sbin/semodule
+ /usr/sbin/selinuxenabled
+ selinuxdir=/var/lib/pcp/selinux
+ command=install
+ policy=pcpupstream
+ case "$command" in
+ test -f /var/lib/pcp/selinux/pcpupstream.pp
+ semodule -h
+ grep -q -- -X
+ semodule -X 400 -i /var/lib/pcp/selinux/pcpupstream.pp
Failed to resolve permission name_connect
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/400/pcpupstream/cil:74
semodule:  Failed!


decoding the binary pp file:

[mgoodwin@f32 ~]$ sudo /usr/libexec/selinux/hll/pp /var/lib/pcp/selinux/pcpupstream.pp /tmp/pcpupstream.cil
[mgoodwin@f32 ~]$ cat -n /tmp/pcpupstream.cil

     ...
     70 (allow pcp_pmcd_t proc_kcore_t (file (getattr)))
     71 (allow pcp_pmcd_t self (capability (kill chown sys_chroot ipc_lock sys_resource)))
     72 (allow pcp_pmcd_t nsfs_t (file (getattr open read)))
     73 (allow pcp_pmcd_t unreserved_port_t (tcp_socket (name_bind name_connect)))
--->>74 (allow pcp_pmcd_t unreserved_port_t (udp_socket (name_bind name_connect)))
     75 (allow pcp_pmcd_t websm_port_t (tcp_socket (name_connect)))
     76 (allow pcp_pmcd_t pcp_tmp_t (file (execute execute_no_trans map)))
     77 (allow pcp_pmcd_t hostname_exec_t (file (execute execute_no_trans getattr open read)))
     78 (allow pcp_pmcd_t tracefs_t (filesystem (mount)))
     79 (allow pcp_pmcd_t tracefs_t (dir (open read search)))
     ...
Comment 4 Nathan Scott 2020-03-10 00:18:47 UTC 
This line is for pmdastatsd - it doesn't use connect(2) on the UDP socket so its likely the 'name_connect' can be dropped there (it does bind(2) however) and that may resolve the issue?

cheers.
Comment 5 Mark Goodwin 2020-03-10 04:20:57 UTC 
(In reply to Matej Marušák from comment #2)
> One more related AVC: (I cannot find how to edit my previous message):
> 
> audit: type=1400 audit(1583507439.889:326): avc:  denied  { search } for 
> pid=2880 comm="pmdalinux" name="/" dev="nfsd" ino=1
> scontext=system_u:system_r:pcp_pmcd_t:s0
> tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=0

Hi Matej, I'm not seeing this one (perhaps because I don't have nay NFS exports on my f32 VM?)
Comment 6 Mark Goodwin 2020-03-10 04:28:02 UTC 
(In reply to Nathan Scott from comment #4)
> This line is for pmdastatsd - it doesn't use connect(2) on the UDP socket so
> its likely the 'name_connect' can be dropped there (it does bind(2) however)
> and that may resolve the issue?
> 
> cheers.

The following commit that went into pcp-5.0.3 seems to have introduced the issue (but strangely only on f32 and later) :

commit 91b9dff3046bb4053beed878f1cd9f7a55f97165
Author: Nathan Scott <nathans>
Date:   Wed Feb 19 16:53:09 2020 +1100

    selinux: add policy needed for pmdastatd to access statsd UDP port



and this patch to drop udp_socket / name_connect seems to fix it:


diff --git a/qa/917.out.in b/qa/917.out.in
index 88ebe2792..7025d5bd9 100644
--- a/qa/917.out.in
+++ b/qa/917.out.in
@@ -31,7 +31,7 @@ decl 1:
   allow [pcp_pmcd_t] self : [capability] { kill chown sys_chroot ipc_lock sys_resource };
 ! allow [pcp_pmcd_t] [nsfs_t] : [file] { getattr open read };
 ! allow [pcp_pmcd_t] [unreserved_port_t] : [tcp_socket] { name_bind name_connect };
-! allow [pcp_pmcd_t] [unreserved_port_t] : [udp_socket] { name_bind name_connect };
+! allow [pcp_pmcd_t] [unreserved_port_t] : [udp_socket] { name_bind };
   allow [pcp_pmcd_t] [websm_port_t] : [tcp_socket] { name_connect };
 ! allow [pcp_pmcd_t] [pcp_tmp_t] : [file] { execute execute_no_trans map };
   allow [pcp_pmcd_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };
diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
index ed12e48fd..a7547f443 100644
--- a/src/selinux/GNUlocaldefs
+++ b/src/selinux/GNUlocaldefs
@@ -27,7 +27,7 @@ endif
 ifeq "$(PCP_SELINUX_UNRESERVED_PORT)" "true"
 PCP_UNRESERVED_PORT="type unreserved_port_t;"
 PCP_UNRESERVED_PORT_RULE_TCP="allow pcp_pmcd_t unreserved_port_t:tcp_socket { name_bind name_connect };"
-PCP_UNRESERVED_PORT_RULE_UDP="allow pcp_pmcd_t unreserved_port_t:udp_socket { name_bind name_connect };"
+PCP_UNRESERVED_PORT_RULE_UDP="allow pcp_pmcd_t unreserved_port_t:udp_socket { name_bind };"
 PCP_UNRESERVED_PORT_RULE_PMMGR="allow pcp_pmmgr_t unreserved_port_t:tcp_socket name_bind;"
 endif
 
diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
index 432ccb827..f59806728 100644
--- a/src/selinux/pcpupstream.te.in
+++ b/src/selinux/pcpupstream.te.in
@@ -73,7 +73,7 @@ require {
        class capability net_raw; # pmda.netcheck
        class sock_file { getattr write }; #RHBZ1633211, RHBZ1449671
        class tcp_socket { name_bind name_connect };
-       class udp_socket { name_bind name_connect };
+       class udp_socket { name_bind };
        class shm { unix_read associate getattr read };
        class filesystem mount;
        class blk_file { ioctl open read };
Comment 7 Mark Goodwin 2020-03-10 06:53:35 UTC 
Posted upstream fix for pcp-5.1.0 and will patch pcp-5.0.3 in Fedora.

commit efb5ced969a06f9b7e43a0e093c86e99ffab0cd0
Author: Mark Goodwin <mgoodwin>
Date:   Tue Mar 10 17:20:30 2020 +1100

    selinux: drop name_connect from class udp_socket
    
    Resolves BZ#1810458
    
    The class udp_socket / name_connect rule was causing the %post
    script for pcp-selinux to fail on install, resulting in no
    pcpupstream.te and consequently all PCP services to fail to start.
    
    Also updated qa/917 qualified output and check all SElinux group
    tests still pass.
Comment 8 Fedora Update System 2020-03-11 02:02:54 UTC 
FEDORA-2020-227ef5d279 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-227ef5d279
Comment 9 Fedora Update System 2020-03-12 22:59:09 UTC 
pcp-5.0.3-3.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-227ef5d279
Comment 10 Fedora Update System 2020-03-20 01:47:42 UTC 
pcp-5.0.3-3.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.