Bug 986804 - selinux stops collectds ping plug-in from working
Summary: selinux stops collectds ping plug-in from working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-22 07:02 UTC by Daniel Rowe
Modified: 2013-08-22 00:51 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.12.1-71.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-22 00:51:54 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Daniel Rowe 2013-07-22 07:02:03 UTC 
Description of problem:

With selinux enabled and in enforcing mode collectd is unable to ping using its ping plugin.

collectd[871]: ping_sendto: Permission denied

Not that there are NO denials logged by selinux in either the message log or the audit log.

Setting SELINUX=permissive and rebooting fixes the issue and collectd IS able to ping.

Version-Release number of selected component (if applicable):

Completely up to date Fedora 19 system.

How reproducible:

Every time.

Steps to Reproduce:
1. Install Collectd and the collectd ping plugin,
2. Set collectd up to ping one of more hosts.
3. Watch the message log for errors.
4. Set SELINUX=permissive and again test the ping plugin.
5. Now works.

Actual results:

Collectd not able to ping.

Expected results:

Should work.

Additional info:
Comment 1 Miroslav Grepl 2013-07-22 08:33:15 UTC 
commit a5cf75d089d49a3e579fb6ba88db31b0ba17a04a
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jul 22 10:32:53 2013 +0200

    Allow collectd to use ping plugin
Comment 2 Fedora Update System 2013-07-24 14:13:55 UTC 
selinux-policy-3.12.1-66.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-66.fc19
Comment 3 Fedora Update System 2013-07-25 00:35:58 UTC 
Package selinux-policy-3.12.1-66.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-66.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-13543/selinux-policy-3.12.1-66.fc19
then log in and leave karma (feedback).
Comment 4 Daniel Rowe 2013-07-26 05:05:48 UTC 
Confirm that it is fixed with the policy update.

Thanks.
Comment 5 Fedora Update System 2013-07-26 23:06:45 UTC 
selinux-policy-3.12.1-66.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Daniel Rowe 2013-07-29 01:08:40 UTC 
I initially thought the issue was fixed. But I was wrong. It still logging collectd[2837]: ping_sendto: Permission denied
Comment 7 Miroslav Grepl 2013-07-29 08:32:32 UTC 
What AVC msgs are you getting?

Re-test and run

# ausearch -m avc,user_avc -ts recent
Comment 8 Daniel Rowe 2013-08-13 05:32:03 UTC 
No AVC messages are displaying. It still logging collectd[5352]: ping_sendto: Permission denied
Comment 9 Daniel Walsh 2013-08-13 22:18:06 UTC 
Try after semodule -DB, which turns off dontaudit rules.

semodule -DB
Try out collectd
semodule -B

Gather the AVC's related to collectd.
Comment 10 Daniel Rowe 2013-08-15 02:37:37 UTC 
Pease see below the AVC message

time->Thu Aug 15 12:19:58 2013
type=SYSCALL msg=audit(1376531398.861:1625): arch=c000003e syscall=44 success=no exit=-13 a0=4 a1=7faefc6f59f0 a2=54 a3=0 items=0 ppid=1 pid=1526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1376531398.861:1625): avc:  denied  { write } for  pid=1526 comm="collectd" lport=1 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=rawip_socket

time->Thu Aug 15 12:19:59 2013
type=SYSCALL msg=audit(1376531399.861:1629): arch=c000003e syscall=44 success=no exit=-13 a0=4 a1=7faefc6f59f0 a2=54 a3=0 items=0 ppid=1 pid=1526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="collectd" exe="/usr/sbin/collectd" subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(1376531399.861:1629): avc:  denied  { write } for  pid=1526 comm="collectd" lport=1 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=rawip_socket
Comment 11 Daniel Walsh 2013-08-15 18:54:39 UTC 
That would make sense.

88a045e26eda07fd047f5de84141be5d8707f65d fixes this in git.
Comment 12 Fedora Update System 2013-08-20 08:25:15 UTC 
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 13 Fedora Update System 2013-08-21 00:14:25 UTC 
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 14 Fedora Update System 2013-08-22 00:51:54 UTC 
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.