libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.2.3-2.fc16.x86_64 reason: SELinux is preventing /usr/sbin/collectd from 'net_admin' accesses on the None . time: Mon 06 Feb 2012 11:43:50 GMT description: :SELinux is preventing /usr/sbin/collectd from 'net_admin' accesses on the None . : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that collectd should be allowed net_admin access on the <Unknown> by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep collectd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:collectd_t:s0 :Target Context system_u:system_r:collectd_t:s0 :Target Objects [ None ] :Source collectd :Source Path /usr/sbin/collectd :Port <Unknown> :Host (removed) :Source RPM Packages collectd-4.10.4-1.fc16.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-75.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 : 20:08:08 UTC 2012 x86_64 x86_64 :Alert Count 5 :First Seen Mon 06 Feb 2012 19:42:22 GMT :Last Seen Mon 06 Feb 2012 19:42:52 GMT :Local ID 686dd0ad-3ece-4c58-b263-82fc9504f47e : :Raw Audit Messages :type=AVC msg=audit(1328557372.441:65): avc: denied { net_admin } for pid=1049 comm="collectd" capability=12 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capabilitynode=(removed) type=SYSCALL msg=audit(1328557372.441:65): arch=c000003e syscall=0 success=yes exit=3 a0=5 a1=7f665c8e3000 a2=400 a3=22 items=0 ppid=1 pid=1049 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null) : : :Hash: collectd,collectd_t,collectd_t,None,net_admin : :audit2allow : : :audit2allow -R : :
Does collectd need this? CAP_NET_ADMIN Perform various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configura‐ tion, modifying routing tables)
looks like it's the conntrack plugin which is causing this problem. that plugin is disabled by default so you can probably set the severity as 'low' for this one.
Might want to add a boolean to allow collectd to manipulate the systems networking.
(In reply to comment #2) > looks like it's the conntrack plugin which is causing this problem. Interesting, conntrack.c only reads /proc/sys/net/netfilter/nf_conntrack_count why would that require net_admin ??
I believe it can be safely dontaudit'd although really should be fixed in the kernel. I believe, although haven't tested, this comes from net/sysctl_net.c::net_ctl_permissions() which checks CAP_NET_ADMIN and will allow one to overwrite the DAC permissions. I believe the fix is to use has_capability_noaudit() in the kernel instead of capable(). Thus we don't get such denials. I'll try to send a patch upstream.
Lets add the dontaudit to F16 and hope the kernel is fixed in F17/F18
Fixed in selinux-policy-3.10.0-89.fc16
selinux-policy-3.10.0-89.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-89.fc16
Package selinux-policy-3.10.0-89.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-89.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9507/selinux-policy-3.10.0-89.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-89.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.