Bug 908270
| Summary: | journal is full of collectd messages | ||
|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Fabian Deutsch <fdeutsch> |
| Component: | ovirt-node | Assignee: | Joey Boggs <jboggs> |
| Status: | CLOSED WONTFIX | QA Contact: | bugs <bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.2 | CC: | acathrow, dfediuck, gouyang, hadong, jboggs, leiwang, mgoldboi, ovirt-bugs, ovirt-maint, ycui |
| Target Milestone: | --- | ||
| Target Release: | 3.4.1 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | node | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-03-19 17:04:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 753309 | ||
| Bug Blocks: | 894059 | ||
|
Description
Fabian Deutsch
2013-02-06 10:11:51 UTC
dwalsh,
Can you recommend any changes here?
Collectd starts it's just failing since its not able to write to /var/log/collectd.log
Here's the module file we're using which has the added entries from audit2allow, is there something else I could be missing?
module ovirt 1.0;
require {
type initrc_t;
type initrc_tmp_t;
type mount_t;
type setfiles_t;
type shadow_t;
type unconfined_t;
type passwd_t;
type user_tmp_t;
type var_log_t;
type net_conf_t;
type collectd_t;
type virt_etc_t;
type loadkeys_t;
type initrc_tmp_t;
type virtd_exec_t;
class file { append mounton open getattr read execute ioctl lock entrypoint write };
class fd { use };
class process { sigchld signull transition noatsecure siginh rlimitinh getattr };
class fifo_file { getattr open read write append lock ioctl };
class filesystem getattr;
class dir { getattr search open read lock ioctl write add_name};
class socket { read write };
class tcp_socket { read write };
class udp_socket { read write };
class rawip_socket { read write };
class netlink_socket { read write };
class packet_socket { read write };
class unix_stream_socket { read write create ioctl getattr lock setattr append bind connect getopt setopt shutdown connectto };
class unix_dgram_socket { read write };
class appletalk_socket { read write };
class netlink_route_socket { read write };
class netlink_firewall_socket { read write };
class netlink_tcpdiag_socket { read write };
class netlink_nflog_socket { read write };
class netlink_xfrm_socket { read write };
class netlink_selinux_socket { read write };
class netlink_audit_socket { read write };
class netlink_ip6fw_socket { read write };
class netlink_dnrt_socket { read write };
class netlink_kobject_uevent_socket { read write };
class tun_socket { read write };
class chr_file { getattr read write append ioctl lock open };
class lnk_file { getattr read };
class sock_file { getattr write open append };
}
allow mount_t shadow_t:file mounton;
allow setfiles_t net_conf_t:file read;
# Unknown on F18:
#allow setfiles_t initrc_tmp_t:file append;
#allow consoletype_t var_log_t:file append;
#allow passwd_t user_tmp_t:file write;
# Unknown on F17 brctl_t:
#allow brctl_t net_conf_t:file read;
# Suppose because of collectd libvirt plugin
allow collectd_t virt_etc_t:file read;
allow collectd_t var_log_t:dir write;
allow collectd_t var_log_t:dir add_name;
allow collectd_t virtd_exec_t:file getattr;
# Suppose because etc is on tmpfs
allow loadkeys_t initrc_tmp_t:file read;
type ovirt_exec_t;
init_daemon_domain(unconfined_t,ovirt_exec_t)
Running audit2allow on audit.log
audit2allow -i /tmp/au.log
#============= collectd_t ==============
allow collectd_t passwd_file_t:file read;
allow collectd_t var_log_t:dir add_name;
allow collectd_t virtd_exec_t:file getattr;
#============= loadkeys_t ==============
allow loadkeys_t initrc_tmp_t:file open;
-------------------
audit.log entries for collectd
type=PATH msg=audit(1360184795.506:2698): item=0 name="/var/log/collectd.log" inode=13990 dev=00:21 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0
type=AVC msg=audit(1360184795.506:2699): avc: denied { add_name } for pid=1413 comm="collectd" name="collectd.log" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1360184795.506:2699): arch=c000003e syscall=2 success=no exit=-13 a0=7f9e269ed5c0 a1=441 a2=1b6 a3=238 items=1 ppid=1 pid=1413 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=CWD msg=audit(1360184795.506:2699): cwd="/var/lib/collectd"
type=PATH msg=audit(1360184795.506:2699): item=0 name="/var/log/collectd.log" inode=13990 dev=00:21 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0
type=AVC msg=audit(1360184795.506:2700): avc: denied { add_name } for pid=1413 comm="collectd" name="collectd.log" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1360184795.506:2700): arch=c000003e syscall=2 success=no exit=-13 a0=7f9e269ed5c0 a1=441 a2=1b6 a3=238 items=1 ppid=1 pid=1413 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=CWD msg=audit(1360184795.506:2700): cwd="/var/lib/collectd"
type=PATH msg=audit(1360184795.506:2700): item=0 name="/var/log/collectd.log" inode=13990 dev=00:21 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0
type=AVC msg=audit(1360184795.506:2701): avc: denied { add_name } for pid=1413 comm="collectd" name="collectd.log" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1360184795.506:2701): arch=c000003e syscall=2 success=no exit=-13 a0=7f9e269ed5c0 a1=441 a2=1b6 a3=238 items=1 ppid=1 pid=1413 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=CWD msg=audit(1360184795.506:2701): cwd="/var/lib/collectd"
type=PATH msg=audit(1360184795.506:2701): item=0 name="/var/log/collectd.log" inode=13990 dev=00:21 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0
type=AVC msg=audit(1360184795.506:2702): avc: denied { add_name } for pid=1413 comm="collectd" name="collectd.log" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1360184795.506:2702): arch=c000003e syscall=2 success=no exit=-13 a0=7f9e269ed5c0 a1=441 a2=1b6 a3=238 items=1 ppid=1 pid=1413 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=CWD msg=audit(1360184795.506:2702): cwd="/var/lib/collectd"
type=PATH msg=audit(1360184795.506:2702): item=0 name="/var/log/collectd.log" inode=13990 dev=00:21 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0
type=AVC msg=audit(1360184795.506:2703): avc: denied { add_name } for pid=1413 comm="collectd" name="collectd.log" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1360184795.506:2703): arch=c000003e syscall=2 success=no exit=-13 a0=7f9e269ed5c0 a1=441 a2=1b6 a3=238 items=1 ppid=1 pid=1413 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=CWD msg=audit(1360184795.506:2703): cwd="/var/lib/collectd"
type=PATH msg=audit(1360184795.506:2703): item=0 name="/var/log/collectd.log" inode=13990 dev=00:21 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0
type=AVC msg=audit(1360184795.506:2704): avc: denied { add_name } for pid=1413 comm="collectd" name="collectd.log" scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1360184795.506:2704): arch=c000003e syscall=2 success=no exit=-13 a0=7f9e269ed5c0 a1=441 a2=1b6 a3=238 items=1 ppid=1 pid=1413 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=CWD msg=audit(1360184795.506:2704): cwd="/var/lib/collectd"
type=PATH msg=audit(1360184795.506:2704): item=0 name="/var/log/collectd.log" inode=13990 dev=00:21 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0
The collectd service is writing Filter subsystem: Built-in target `write': Dispatching value to all write plugins failed with status 2. to the journal, because no plugin (which supports a 'write' callback) is configured. The network plugin supports the write callback, but isn't configured initially. So ideally we will have to disable the collectd plugin (see bug #753309 ) until it is configured properly. Also: http://mailman.verplant.org/pipermail/collectd/2011-June/004549.html we could disable collectd by default and have it started during ovirt-post based on a value in /etc/default/ovirt (In reply to Mike Burns from comment #3) > we could disable collectd by default and have it started during ovirt-post > based on a value in /etc/default/ovirt Good idea! That will work on the short term. *** Bug 990457 has been marked as a duplicate of this bug. *** Not fixed in 3.0. Deferred to a lter release. This is an automated message. Re-targeting all non-blocker bugs still open on 3.4.0 to 3.4.1. Closing old bugs. If relevant please reopen. |