2303944 – SELinux prevents vnstat to access its own database journal

Bug 2303944 - SELinux prevents vnstat to access its own database journal

Summary: SELinux prevents vnstat to access its own database journal

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	vnstat
Sub Component:
Version:	epel9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Adrian Reber
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-08-10 10:08 UTC by Milan Kerslager
Modified:	2024-08-10 10:08 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Milan Kerslager 2024-08-10 10:08:05 UTC

Description of problem:
I have up-to-date CentOS 9 with vnstat service from EPEL running. It gathers statistics of network interfaces flow. I have to run SELinux permissive mode to allow vnstat to work.

I have these messages in audit log:
Access to /(null):
type=AVC msg=audit(1723283952.729:15166): avc:  denied  { create } for  pid=61237 comm="vnstatd" name="vnstat.db-journal" scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


type=AVC msg=audit(1723283952.729:15166): avc:  denied  { read write open } for  pid=61237 comm="vnstatd" path="/var/lib/vnstat/vnstat.db-journal" dev="md127" ino=2770442 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1723283952.729:15166): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffff9c a1=55d81c3fa35f a2=a0042 a3=1a4 items=4 ppid=1 pid=61237 auid=4294967295 uid=985 gid=979 euid=985 suid=985 fsuid=985 egid=979 sgid=979 fsgid=979 tty=(none) ses=4294967295 comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)

type=CWD msg=audit(1723283952.729:15166): cwd=/

type=PATH msg=audit(1723283952.729:15166): item=0 name=(null) inode=2754967 dev=09:7f mode=040755 ouid=985 ogid=979 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1723283952.729:15166): item=1 name=(null) nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1723283952.729:15166): item=2 name=(null) inode=2754967 dev=09:7f mode=040755 ouid=985 ogid=979 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1723283952.729:15166): item=3 name=(null) inode=2770442 dev=09:7f mode=0100644 ouid=985 ogid=979 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0


'read, write, open' access to /var/lib/vnstat/vnstat.db-journal
type=AVC msg=audit(1723284270.857:15260): avc:  denied  { create } for  pid=61237 comm="vnstatd" name="vnstat.db-journal" scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


type=AVC msg=audit(1723284270.857:15260): avc:  denied  { read write open } for  pid=61237 comm="vnstatd" path="/var/lib/vnstat/vnstat.db-journal" dev="md127" ino=2770442 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1723284270.857:15260): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffff9c a1=55d81c3fa35f a2=a0042 a3=1a4 items=4 ppid=1 pid=61237 auid=4294967295 uid=985 gid=979 euid=985 suid=985 fsuid=985 egid=979 sgid=979 fsgid=979 tty=(none) ses=4294967295 comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)

type=CWD msg=audit(1723284270.857:15260): cwd=/

type=PATH msg=audit(1723284270.857:15260): item=0 name=(null) inode=2754967 dev=09:7f mode=040755 ouid=985 ogid=979 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1723284270.857:15260): item=1 name=(null) nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1723284270.857:15260): item=2 name=(null) inode=2754967 dev=09:7f mode=040755 ouid=985 ogid=979 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

type=PATH msg=audit(1723284270.857:15260): item=3 name=(null) inode=2770442 dev=09:7f mode=0100644 ouid=985 ogid=979 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0


unlink access to vnstat.db-journal
type=AVC msg=audit(1723284271.5:15262): avc:  denied  { unlink } for  pid=61237 comm="vnstatd" name="vnstat.db-journal" dev="md127" ino=2770442 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1723284271.5:15262): arch=x86_64 syscall=unlink success=yes exit=0 a0=55d81c3fa35f a1=55d81c3fa35f a2=0 a3=3b000 items=0 ppid=1 pid=61237 auid=4294967295 uid=985 gid=979 euid=985 suid=985 fsuid=985 egid=979 sgid=979 fsgid=979 tty=(none) ses=4294967295 comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)

Version-Release number of selected component (if applicable):
vnstat-2.9-2.el9.x86_64

How reproducible:
Steps to Reproduce:
1. install vnstat
2. setenforce 0
3. systemctl start vnstat.service
4. wait 5 minutes or more and check selinux by journalctl -t setroubleshoot

Actual results:
access is denied by SELinux to /var/lib/vnstat/vnstat.db-journal

Expected results:
vnstat is able to use its own database journal

Additional info:

Note You need to log in before you can comment on or make changes to this bug.