Bug 2169520 - SELinux module for collectd-ipmi
Summary: SELinux module for collectd-ipmi
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: collectd
Version: epel9
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Jonathan Wright
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-13 20:20 UTC by A. Karl Kornel
Modified: 2024-05-17 12:33 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)
SELinux type enforcement file for collectd-ipmi (312 bytes, text/plain)
2023-02-13 20:20 UTC, A. Karl Kornel 		no flags Details
View All

Description A. Karl Kornel 2023-02-13 20:20:08 UTC 
Created attachment 1943915 [details]
SELinux type enforcement file for collectd-ipmi

Description of problem:
Hello!  I am running a RHEL 9 system with SELinux enforcing.  I have collectd-ipmi configured to pull IPMI data through the local IPMI interface (/dev/ipmi0).  collectd's SELinux module does not allow this access, so it is failing.  I'm opening this bug to report the issue, and to ask if a SELinux module could please be added to the collectd-ipmi package.

Version-Release number of selected component (if applicable):
collectd-5.12.0-24.el9.x86_64
collectd-ipmi-5.12.0-24.el9.x86_64

How reproducible:
This appears to always reproduce, as long as SELinux is enabled and enforcing.

Steps to Reproduce:
1. Build a RHEL 9.1 system with SELinux enabled (and enforcing).

2. Install `epel-release`, then install `collectd` & `collectd-ipmi`.

3. Create a file at path `/etc/collectd.d/ipmi.conf`, containing the following five lines:

LoadPlugin "ipmi"
<Plugin "ipmi">
  <Instance "local">
  </Instance>
</Plugin>

5. Enable and start the `collectd` service.

Actual results:

Collectd starts, but reports the following issue with the ipmi module:

Feb 13 11:27:55 srcc-globus-dtn02.stanford.edu collectd[217029]: ipmi plugin: ipmi_smi_setup_con failed for `local`: OS: Permission denied
Feb 13 11:27:55 srcc-globus-dtn02.stanford.edu collectd[217029]: ipmi plugin: c_ipmi_thread_init failed.
Feb 13 11:27:55 srcc-globus-dtn02.stanford.edu collectd[217029]: ipmi plugin: c_ipmi_read: I'm not active, returning false.

The following entries are recorded in the audit logs:

type=PROCTITLE msg=audit(1676316989.876:2139): proctitle="/usr/sbin/collectd"
type=SYSCALL msg=audit(1676316989.876:2139): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffbecd72d60 a2=2 a3=0 items=0 ppid=1 pid=217433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipmi" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1676316989.876:2139): avc:  denied  { read write } for  pid=217433 comm="ipmi" name="ipmi0" dev="devtmpfs" ino=464 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=0
type=PROCTITLE msg=audit(1676317473.800:2146): proctitle="/usr/sbin/collectd"
type=SYSCALL msg=audit(1676317473.800:2146): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fc8200aed60 a2=2 a3=0 items=0 ppid=1 pid=217744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipmi" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1676317473.800:2146): avc:  denied  { open } for  pid=217744 comm="ipmi" path="/dev/ipmi0" dev="devtmpfs" ino=464 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=0
type=PROCTITLE msg=audit(1676317769.843:2155): proctitle="/usr/sbin/collectd"
type=SYSCALL msg=audit(1676317769.843:2155): arch=c000003e syscall=16 success=no exit=-13 a0=5 a1=8028690d a2=7f3dc8df8a20 a3=7f3dc40048f0 items=0 ppid=1 pid=217841 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipmi" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1676317769.843:2155): avc:  denied  { ioctl } for  pid=217841 comm="ipmi" path="/dev/ipmi0" dev="devtmpfs" ino=464 ioctlcmd=0x690d scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=0

Expected results:
I expected the `collectd-ipmi` package to include a SELinux module, so that it would be able to access the local IPMI device.


Additional info:
collectd's IPMI module is able to talk to IPMI using the local IPMI device (`/dev/ipmi0`), if it exists (which it often does, on most servers).  However, collectd's default SELinux configuration does not allow it to perform the operations needed to talk to the local IPMI device.  the `collectd-ipmi` module sees a "Permission Denied" error, and SELinux logs what it did into the audit log.

Using the steps at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/sec-sel-building-policy-module, Section 5.12, I was able to build and install an SELinux policy module that resolves the error.  I'm attaching the type enforcement file that I made, over multiple iterations of `ausearch -m AVC` and `audit2allow`.  You can use the file yourself by copying it to `/tmp/collectd-ipmi.te` on your server and running these three commands:

checkmodule -m -o /tmp/collectd-ipmi.mod /tmp/collectd-ipmi.te
semodule_package -o /tmp/collectd-ipmi.pp -m /tmp/collectd-ipmi.mod
semodule -i /tmp/collectd-ipmi.pp

If I understand things correctly, the files in `/tmp` do not need to be saved, for the installed module to persist across reboots.
Comment 1 Fedora Admin user for bugzilla script actions 2024-05-17 00:14:14 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 2 Fedora Admin user for bugzilla script actions 2024-05-17 12:33:17 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Note You need to log in before you can comment on or make changes to this bug.