2354857 – SELinux is preventing /usr/sbin/collectd from name_bind access on the tcp_socket port 9103

Bug 2354857 - SELinux is preventing /usr/sbin/collectd from name_bind access on the tcp_socket port 9103

Summary: SELinux is preventing /usr/sbin/collectd from name_bind access on the tcp_soc...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	41
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-25 13:47 UTC by Matthew LeSieur
Modified:	2025-05-14 01:19 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-41.39-1.fc41
Clone Of:
Environment:
Last Closed:	2025-05-14 01:19:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2653	0	None	open	Allow collectd bind TCP sockets to the collectd port	2025-04-22 17:05:32 UTC

Description Matthew LeSieur 2025-03-25 13:47:06 UTC

SELinux is denying collectd from opening port 9103, which is used by the write_prometheus plugin.  Setting setenforce to 0 allows the collectd to use the port.  I added tcp/9103 to collectd_port_t and set the collectd_tcp_network_connect to "on".  Details below.

Mar 25 09:30:14 fedora41.example.com systemd[1]: Starting collectd.service - Collectd statistics daemon...
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "syslog" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "cpu" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "interface" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "load" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "memory" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_load: plugin "write_prometheus" successfully loaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: Systemd detected, trying to signal readiness.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: write_prometheus plugin: Opening a listening socket for [::]:9103 failed.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: Initialization of plugin `write_prometheus' failed with status -1. Plugin will be unloaded.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: plugin_unregister_read: No such read function: write_prometheus
Mar 25 09:30:14 fedora41.example.com collectd[1907]: Error: one or more plugin init callbacks failed.
Mar 25 09:30:14 fedora41.example.com collectd[1907]: Initialization complete, entering read-loop.
Mar 25 09:30:14 fedora41.example.com systemd[1]: Started collectd.service - Collectd statistics daemon.

# semanage port -l | grep collectd
collectd_port_t                tcp      9103
collectd_port_t                udp      25826

# getsebool collectd_tcp_network_connect
collectd_tcp_network_connect --> on

# sealert -l 0f8a6a8e-06d6-46d5-b0b3-73ffc10bbfd6
SELinux is preventing /usr/sbin/collectd from name_bind access on the tcp_socket port 9103.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that collectd should be allowed name_bind access on the port 9103 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'collectd' --raw | audit2allow -M my-collectd
# semodule -X 300 -i my-collectd.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:object_r:collectd_port_t:s0
Target Objects                port 9103 [ tcp_socket ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          9103
Host                          fedora41.example.com
Source RPM Packages           collectd-5.12.0-44.fc41.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-41.34-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.34-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora41.example.com
Platform                      Linux fedora41.example.com 6.13.8-200.fc41.x86_64 #1
                              SMP PREEMPT_DYNAMIC Sun Mar 23 05:03:09 UTC 2025
                              x86_64
Alert Count                   2
First Seen                    2025-03-25 09:30:14 EDT
Last Seen                     2025-03-25 09:30:14 EDT
Local ID                      0f8a6a8e-06d6-46d5-b0b3-73ffc10bbfd6

Raw Audit Messages
type=AVC msg=audit(1742909414.112:693): avc:  denied  { name_bind } for  pid=1907 comm="collectd" src=9103 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:collectd_port_t:s0 tclass=tcp_socket permissive=0


type=SYSCALL msg=audit(1742909414.112:693): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=55c8f9e52050 a2=10 a3=7fff70cfb694 items=0 ppid=1 pid=1907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,collectd_port_t,tcp_socket,name_bind

Reproducible: Always

Steps to Reproduce:
1. dnf -y install collectd collectd-write_prometheus
2. cat << __EOF__ > /etc/collectd.d/write_prometheus.conf
LoadPlugin write_prometheus
<Plugin "write_prometheus">
  Port "9103"
</Plugin>
__EOF__
3. systemctl start collectd.service
Actual Results:  
Mar 25 09:30:14 fedora41.example.com collectd[1907]: write_prometheus plugin: Opening a listening socket for [::]:9103 failed.

Expected Results:  
Mar 25 08:59:55 fedora41.example.com collectd[1326354]: write_prometheus plugin: Listening on [::]:9103.

Comment 1 Zdenek Pytela 2025-04-22 17:05:32 UTC

Can you try this coprbuild if the fix is sufficient?

https://github.com/fedora-selinux/selinux-policy/pull/2653
checks -> rpmbuild -> rawhide

Comment 2 Matthew LeSieur 2025-04-23 15:52:15 UTC

(In reply to Zdenek Pytela from comment #1)
> Can you try this coprbuild if the fix is sufficient?
> 
> https://github.com/fedora-selinux/selinux-policy/pull/2653
> checks -> rpmbuild -> rawhide

I tried the packages in the indicated copr repository, but it didn't resolve the problem.

# head -2 /etc/os-release
NAME="Fedora Linux"
VERSION="42 (Adams)"
# dnf -y install collectd collectd-write_prometheus
# cat << __EOF__ > /etc/collectd.d/write_prometheus.conf
LoadPlugin write_prometheus
<Plugin "write_prometheus">
  Port "9103"
</Plugin>
__EOF__
# dnf copr enable packit/fedora-selinux-selinux-policy-2653 fedora-42-x86_64
# dnf install -y selinux-policy-minimum-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-targeted-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-doc-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-devel-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-mls-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch selinux-policy-sandbox-41.38-1.20250422170502029646.pr2653.3.ga8f65bc59.fc42.noarch
# semanage port -a -t collectd_port_t -p tcp 9103
# setsebool collectd_tcp_network_connect on
# systemctl start collectd.service
# journalctl -u collectd.service

Apr 23 11:29:35 fedora42.example.com systemd[1]: Started collectd.service - Collectd statistics daemon.
Apr 23 11:29:35 fedora42.example.com collectd[1680]: write_prometheus plugin: Opening a listening socket for [::]:9103 failed.
Apr 23 11:29:35 fedora42.example.com collectd[1680]: Initialization of plugin `write_prometheus' failed with status -1. Plugin will be unloaded.
Apr 23 11:29:35 fedora42.example.com collectd[1680]: plugin_unregister_read: No such read function: write_prometheus
Apr 23 11:29:35 fedora42.example.com collectd[1680]: Error: one or more plugin init callbacks failed.
Apr 23 11:29:35 fedora42.example.com collectd[1680]: Initialization complete, entering read-loop.

# ausearch -m AVC -c collectd -ts recent
----
time->Wed Apr 23 11:42:46 2025
type=PROCTITLE msg=audit(1745422966.726:3006): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D6578656375746F72002D2D646573657269616C697A65003534002D2D6C6F672D6C6576656C00696E666F002D2D6C6F672D746172676574006A6F75726E616C2D6F722D6B6D7367
type=SYSCALL msg=audit(1745422966.726:3006): arch=c000003e syscall=50 success=no exit=-13 a0=3 a1=10 a2=10 a3=7ffd6ae82d54 items=0 ppid=1 pid=2003 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/bin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1745422966.726:3006): avc:  denied  { listen } for  pid=2003 comm="collectd" lport=9103 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=tcp_socket permissive=0

-Matt

Comment 3 Zdenek Pytela 2025-04-28 13:17:14 UTC

Thanks for checking, we are actually moving forward:
https://github.com/fedora-selinux/selinux-policy/pull/2666

For me, the service still fails, but there are no avc denials.

Comment 4 Fedora Update System 2025-05-02 08:11:32 UTC

FEDORA-2025-a84432e770 (selinux-policy-41.39-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-a84432e770

Comment 5 Fedora Update System 2025-05-03 03:03:34 UTC

FEDORA-2025-a84432e770 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-a84432e770`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-a84432e770

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2025-05-14 01:19:38 UTC

FEDORA-2025-a84432e770 (selinux-policy-41.39-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.