915771 – SELinux is preventing /usr/sbin/collectd from using the net_admin capability.

Bug 915771 - SELinux is preventing /usr/sbin/collectd from using the net_admin capability.

Summary: SELinux is preventing /usr/sbin/collectd from using the net_admin capability.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	17
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	915775 915819 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-26 13:35 UTC by Joel Uckelman
Modified:	2013-06-24 03:27 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.10.0-170.fc17
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-06-24 03:27:41 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joel Uckelman 2013-02-26 13:35:46 UTC

Description of problem:

SELinux is preventing /usr/sbin/collectd from using the net_admin capability.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that collectd should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep collectd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:system_r:collectd_t:s0
Target Objects                 [ capability ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          <Unknown>
Host                          clio
Source RPM Packages           collectd-4.10.8-2.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-167.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     clio
Platform                      Linux clio 3.7.9-101.fc17.x86_64 #1 SMP Mon Feb 18
                              22:04:06 UTC 2013 x86_64 x86_64
Alert Count                   4
First Seen                    2013-02-26 14:33:13 CET
Last Seen                     2013-02-26 14:33:33 CET
Local ID                      f61aff90-c501-4b74-a951-be72ed0782bd

Raw Audit Messages
type=AVC msg=audit(1361885613.373:5838): avc:  denied  { net_admin } for  pid=30046 comm="collectd" capability=12  scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=capability


type=SYSCALL msg=audit(1361885613.373:5838): arch=x86_64 syscall=read success=yes exit=ESRCH a0=5 a1=7f786f36b000 a2=400 a3=22 items=0 ppid=1 pid=30046 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,collectd_t,capability,net_admin

audit2allow

#============= collectd_t ==============
allow collectd_t self:capability net_admin;

audit2allow -R

#============= collectd_t ==============
allow collectd_t self:capability net_admin;

Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-167.fc17.noarch

How reproducible:

Always.

Steps to Reproduce:
1. Enable the conntrack plugin for collectd.
  
Actual results:

SELinux denial.


Expected results:

No denial.

Comment 1 Daniel Walsh 2013-02-26 22:06:05 UTC

Does collectd actually manipulate network tables.


/* Allow use of RAW sockets */
/* Allow use of PACKET sockets */
/* Allow binding to any address for transparent proxying (also via NET_ADMIN) */

Comment 2 Alan Pevec 2013-02-26 22:20:14 UTC

(In reply to comment #1)
> Does collectd actually manipulate network tables.

It does not, this is F16 bug 787643 again, looks like hope from bug 787643 comment 6 was not fulfilled?
"Lets add the dontaudit to F16 and hope the kernel is fixed in F17/F18"

Comment 3 Miroslav Grepl 2013-02-28 12:49:31 UTC

Ok, I am adding dontaudit rules to F17.

Comment 4 Miroslav Grepl 2013-02-28 12:49:52 UTC

*** Bug 915775 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2013-02-28 15:18:40 UTC

*** Bug 915819 has been marked as a duplicate of this bug. ***

Comment 6 Fedora Update System 2013-06-07 06:59:47 UTC

selinux-policy-3.10.0-170.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-170.fc17

Comment 7 Fedora Update System 2013-06-07 23:26:47 UTC

Package selinux-policy-3.10.0-170.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-170.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-10302/selinux-policy-3.10.0-170.fc17
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2013-06-24 03:27:41 UTC

selinux-policy-3.10.0-170.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.