Description of problem: Install Cacti from EPEL. Configure it using the default settings. The Cacti graphs do not display on the web. SELinux is preventing /usr/bin/rrdtool from 'setattr' accesses on the directory /var/cache/fontconfig. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that rrdtool should be allowed setattr access on the fontconfig directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rrdtool /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:fonts_cache_t:s0 Target Objects /var/cache/fontconfig [ dir ] Source rrdtool Source Path /usr/bin/rrdtool Port <Unknown> Host (removed) Source RPM Packages rrdtool-1.4.7-7.fc18.x86_64 Target RPM Packages fontconfig-2.10.2-1.fc19.x86_64 Policy RPM selinux-policy-3.11.1-50.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.0-0.rc8.git0.1.fc19.x86_64 #1 SMP Tue Dec 4 15:05:25 UTC 2012 x86_64 x86_64 Alert Count 28 First Seen 2012-12-05 23:23:27 EST Last Seen 2012-12-05 23:30:20 EST Local ID b6b52fd7-027a-497b-a645-d6f209e8929c Raw Audit Messages type=AVC msg=audit(1354768220.317:814): avc: denied { setattr } for pid=4920 comm="rrdtool" name="fontconfig" dev="dm-0" ino=1042493 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1354768220.317:814): arch=x86_64 syscall=chmod success=no exit=EACCES a0=211f900 a1=1ed a2=1 a3=7fffe0d7af00 items=0 ppid=4375 pid=4920 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=rrdtool exe=/usr/bin/rrdtool subj=system_u:system_r:httpd_t:s0 key=(null) Hash: rrdtool,httpd_t,fonts_cache_t,dir,setattr audit2allow audit2allow -R Additional info: hashmarkername: setroubleshoot kernel: 3.7.0-0.rc8.git0.1.fc19.x86_64 type: libreport
Er, and when I say "Cacti from EPEL", I meant "Cacti from Rawhide". Hopefully you get the idea :)
Settattr check should happen for DAC before it happens for SELinux. Then this AVC would not happen. Forces us to write bad policy.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Is this still a problem with 3.9 based F19 kernels?
This bug is being closed with INSUFFICIENT_DATA as there has not been a response in 2 weeks. If you are still experiencing this issue, please reopen and attach the relevant data from the latest kernel you are running and any data that might have been requested previously.
Affects: CentOS release 6.5 (Final) Installed versions: cacti-0.8.8b-3.el6.noarch selinux-policy-3.7.19-231.el6_5.1.noarch selinux-policy-minimum-3.7.19-231.el6_5.1.noarch selinux-policy-targeted-3.7.19-231.el6_5.1.noarch selinux-policy-mls-3.7.19-231.el6_5.1.noarch SEStatus: --- SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted --- Audit.log --- type=AVC msg=audit(1395841586.356:6315): avc: denied { setattr } for pid=20032 comm="rrdtool" name="fontconfig" dev=dm-0 ino=3670514 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir --- Workaround .te file (allows RRD to setattr on dir; note this does not allow DAC override). --- module rrdtool-setattr-fontcache 1.0; require { type httpd_t; type fonts_cache_t; class dir setattr; } #============= httpd_t ============== allow httpd_t fonts_cache_t:dir setattr; ---
Please report that to CentOS then. Fedora bugzilla reports aren't going to get anything fixed in CentOS.
I can confirm that this bug exists in RHEL6.6 with rrdtool: type=AVC msg=audit(1431098356.232:484315): avc: denied { setattr } for pid=19745 comm="rrdtool" name="fontconfig" dev=sda5 ino=263339 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir rrdtool-1.3.8-7.el6.x86_64 selinux-policy-3.7.19-260.el6_6.2.noarch selinux-policy-targeted-3.7.19-260.el6_6.2.noarch Please re-open this ticket.