Bug 915777 - SELinux is preventing /usr/sbin/collectd from search access on the directory rpc.
Summary: SELinux is preventing /usr/sbin/collectd from search access on the directory ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-26 13:44 UTC by Joel Uckelman
Modified: 2013-03-14 03:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-14 03:02:39 UTC
Type: Bug


Attachments (Terms of Use)

Description Joel Uckelman 2013-02-26 13:44:10 UTC
Description of problem:

SELinux is preventing /usr/sbin/collectd from search access on the directory rpc.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that collectd should be allowed search access on the rpc directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep collectd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:object_r:sysctl_rpc_t:s0
Target Objects                rpc [ dir ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          <Unknown>
Host                          clio
Source RPM Packages           collectd-4.10.8-2.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-167.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     clio
Platform                      Linux clio 3.7.9-101.fc17.x86_64 #1 SMP Mon Feb 18
                              22:04:06 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-02-26 14:41:38 CET
Last Seen                     2013-02-26 14:41:48 CET
Local ID                      8c524e77-cb0a-47f8-bfb4-5825057d08b6

Raw Audit Messages
type=AVC msg=audit(1361886108.700:5892): avc:  denied  { search } for  pid=30568 comm="collectd" name="rpc" dev="proc" ino=4026532232 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:sysctl_rpc_t:s0 tclass=dir


type=SYSCALL msg=audit(1361886108.700:5892): arch=x86_64 syscall=open success=no exit=EACCES a0=7f955d7794cb a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=30568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,sysctl_rpc_t,dir,search

audit2allow

#============= collectd_t ==============
allow collectd_t sysctl_rpc_t:dir search;

audit2allow -R

#============= collectd_t ==============
allow collectd_t sysctl_rpc_t:dir search;


How reproducible:

Always.

Steps to Reproduce:
1. Enable the nfs plugin in collectd.
  
Actual results:

SELinux denials


Expected results:

No denials

Comment 1 Joel Uckelman 2013-03-02 16:06:59 UTC
After granting access to rpc:

SELinux is preventing /usr/sbin/collectd from read access on the file nfsd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that collectd should be allowed read access on the nfsd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep collectd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:object_r:sysctl_rpc_t:s0
Target Objects                nfsd [ file ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          <Unknown>
Host                          clio
Source RPM Packages           collectd-5.2.0-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-81.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     clio
Platform                      Linux clio 3.7.9-205.fc18.x86_64 #1 SMP Sun Feb 24
                              20:10:02 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-03-02 17:05:59 CET
Last Seen                     2013-03-02 17:06:09 CET
Local ID                      97b087f8-91d8-40d6-8064-d99c94232811

Raw Audit Messages
type=AVC msg=audit(1362240369.613:1845): avc:  denied  { read } for  pid=5567 comm="collectd" name="nfsd" dev="proc" ino=4026532199 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:sysctl_rpc_t:s0 tclass=file


type=SYSCALL msg=audit(1362240369.613:1845): arch=x86_64 syscall=open success=no exit=EACCES a0=7f2a4fbc03a1 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=5567 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,sysctl_rpc_t,file,read

audit2allow

#============= collectd_t ==============
allow collectd_t sysctl_rpc_t:file read;

audit2allow -R

#============= collectd_t ==============
allow collectd_t sysctl_rpc_t:file read;

Comment 2 Joel Uckelman 2013-03-02 16:20:05 UTC
After granting access to nfsd:

SELinux is preventing /usr/sbin/collectd from getattr access on the file /proc/<pid>/net/rpc/nfsd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that collectd should be allowed getattr access on the nfsd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep collectd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:collectd_t:s0
Target Context                system_u:object_r:sysctl_rpc_t:s0
Target Objects                /proc/<pid>/net/rpc/nfsd [ file ]
Source                        collectd
Source Path                   /usr/sbin/collectd
Port                          <Unknown>
Host                          clio
Source RPM Packages           collectd-5.2.0-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-81.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     clio
Platform                      Linux clio 3.7.9-205.fc18.x86_64 #1 SMP Sun Feb 24
                              20:10:02 UTC 2013 x86_64 x86_64
Alert Count                   10
First Seen                    2013-03-02 17:16:39 CET
Last Seen                     2013-03-02 17:18:09 CET
Local ID                      cc8c01c3-fba5-41f5-baf5-84fdd63137ee

Raw Audit Messages
type=AVC msg=audit(1362241089.614:1931): avc:  denied  { getattr } for  pid=5572 comm="collectd" path="/proc/5564/net/rpc/nfsd" dev="proc" ino=4026532199 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:sysctl_rpc_t:s0 tclass=file


type=SYSCALL msg=audit(1362241089.614:1931): arch=x86_64 syscall=fstat success=no exit=EACCES a0=6 a1=7f2a46ffc710 a2=7f2a46ffc710 a3=0 items=0 ppid=1 pid=5572 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=collectd exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)

Hash: collectd,collectd_t,sysctl_rpc_t,file,getattr

audit2allow

#============= collectd_t ==============
#!!!! This avc is allowed in the current policy

allow collectd_t sysctl_rpc_t:file getattr;

audit2allow -R

#============= collectd_t ==============
#!!!! This avc is allowed in the current policy

allow collectd_t sysctl_rpc_t:file getattr;

Comment 3 Joel Uckelman 2013-03-02 16:22:39 UTC
After permitting the above three, the collectd nfs plugin produces no more denials.

Comment 4 Miroslav Grepl 2013-03-04 09:44:18 UTC
Backported changes from rawhide.

Comment 5 Fedora Update System 2013-03-04 12:11:36 UTC
selinux-policy-3.11.1-83.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-83.fc18

Comment 6 Fedora Update System 2013-03-04 22:34:18 UTC
Package selinux-policy-3.11.1-83.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-83.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3398/selinux-policy-3.11.1-83.fc18
then log in and leave karma (feedback).

Comment 7 Joel Uckelman 2013-03-05 22:38:19 UTC
I tested selinux-policy-3.11.1-83.fc18. It works for me. Thanks!

Comment 8 Fedora Update System 2013-03-08 16:11:47 UTC
selinux-policy-3.11.1-84.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-84.fc18

Comment 9 Fedora Update System 2013-03-14 03:02:43 UTC
selinux-policy-3.11.1-85.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.