1883507 – collectd triggers a few SELinux denials - infiniband, RDMA, packet socket

Bug 1883507 - collectd triggers a few SELinux denials - infiniband, RDMA, packet socket

Summary: collectd triggers a few SELinux denials - infiniband, RDMA, packet socket

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-29 12:43 UTC by Milos Malik
Modified:	2021-09-30 01:13 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-34.21-1.fc34
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-09-30 01:13:43 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-09-29 12:43:16 UTC

Description of problem:
Sep 29 11:09:24 rdma-machine collectd[342720]: dns plugin: Opening interface `any' failed: any: can't mmap rx ring: Permission denied
Sep 29 11:09:24 rdma-machine collectd[342720]: dns plugin: PCAP returned error Generic error.

Version-Release number of selected component (if applicable):
collectd-5.11.0-11.fc34.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora Rawhide machine (targeted policy is active)
2. run the following automated TC:
 * /CoreOS/selinux-policy/Regression/collectd-and-similar
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(09/29/2020 11:09:24.010:3150) : proctitle=/usr/sbin/collectd 
type=SYSCALL msg=audit(09/29/2020 11:09:24.010:3150) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=hmp a3=0x8 items=0 ppid=1 pid=342720 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null) 
type=AVC msg=audit(09/29/2020 11:09:24.010:3150) : avc:  denied  { create } for  pid=342720 comm=collectd scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=netlink_rdma_socket permissive=0 
----
type=PROCTITLE msg=audit(09/29/2020 11:09:24.012:3152) : proctitle=/usr/sbin/collectd 
type=PATH msg=audit(09/29/2020 11:09:24.012:3152) : item=0 name=/dev/infiniband/uverbs0 inode=469 dev=00:05 mode=character,666 ouid=root ogid=root rdev=e7:c0 obj=system_u:object_r:infiniband_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/29/2020 11:09:24.012:3152) : cwd=/var/lib/collectd 
type=SYSCALL msg=audit(09/29/2020 11:09:24.012:3152) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fc52c0091c0 a1=0x7fc533a8f8b0 a2=0x7fc533a8f8b0 a3=0x7fc533df5fc0 items=1 ppid=1 pid=342720 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null) 
type=AVC msg=audit(09/29/2020 11:09:24.012:3152) : avc:  denied  { getattr } for  pid=342720 comm=collectd path=/dev/infiniband/uverbs0 dev="devtmpfs" ino=469 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(09/29/2020 11:09:24.024:3153) : proctitle=/usr/sbin/collectd 
type=CWD msg=audit(09/29/2020 11:09:24.024:3153) : cwd=/var/lib/collectd 
type=MMAP msg=audit(09/29/2020 11:09:24.024:3153) : fd=5 flags=MAP_SHARED 
type=SYSCALL msg=audit(09/29/2020 11:09:24.024:3153) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x200000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=342720 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null) 
type=AVC msg=audit(09/29/2020 11:09:24.024:3153) : avc:  denied  { map } for  pid=342720 comm=collectd path=socket:[656048] dev="sockfs" ino=656048 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=packet_socket permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2020-09-29 12:48:03 UTC

This bug is similar to BZ#1845618 (RHEL-8), but there are additional SELinux denials.

Comment 3 Ben Cotton 2021-02-09 16:24:09 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.

Comment 4 Zdenek Pytela 2021-09-22 18:38:57 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/893

Comment 5 Fedora Update System 2021-09-24 09:55:21 UTC

FEDORA-2021-a15b7e7314 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314

Comment 6 Fedora Update System 2021-09-24 21:48:35 UTC

FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a15b7e7314`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a15b7e7314

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2021-09-30 01:13:43 UTC

FEDORA-2021-a15b7e7314 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.