[Bug 1223260] New: SELinux denies pcp
https://bugzilla.suse.com/show_bug.cgi?id=1223260 Bug ID: 1223260 Summary: SELinux denies pcp Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: felix.niederwanger@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 874416 --> https://bugzilla.suse.com/attachment.cgi?id=874416&action=edit ausearch -ts boot -m avc On MicroOS starting pmlogger with SELinux in enforcing mode fails with several SELinux related denials
Apr 22 13:14:01 microos systemd[1]: Starting Performance Metrics Archive Logger... Apr 22 13:14:01 microos rc[2682]: /etc/pcp/pmlogger/rc: line 153: /var/lib/pcp/tmp/pmlogger_rc.d9N3i7aLW/tmp: Permission denied Apr 22 13:14:01 microos rc[2750]: /etc/pcp/pmlogger/rc: line 92: /var/lib/pcp/tmp/pmlogger_rc_start.7vdZJLmGN/pmcheck.out: Permission denied Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Main process exited, code=exited, status=1/FAILURE Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Failed with result 'exit-code'. Apr 22 13:14:01 microos systemd[1]: Failed to start Performance Metrics Archive Logger. Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Scheduled restart job, restart counter is at 1. Apr 22 13:14:01 microos systemd[1]: Stopped Performance Metrics Archive Logger. Apr 22 13:14:01 microos systemd[1]: Starting Performance Metrics Archive Logger... Apr 22 13:14:01 microos rc[2958]: /etc/pcp/pmlogger/rc: line 153: /var/lib/pcp/tmp/pmlogger_rc.yWYJd9JBe/tmp: Permission denied Apr 22 13:14:01 microos rc[2991]: /etc/pcp/pmlogger/rc: line 92: /var/lib/pcp/tmp/pmlogger_rc_start.OcmNVcLdA/pmcheck.out: Permission denied Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Main process exited, code=exited, status=1/FAILURE Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Failed with result 'exit-code'. Apr 22 13:14:01 microos systemd[1]: Failed to start Performance Metrics Archive Logger. ...
I'm attaching the output of ausearch -ts boot -m avc, failures are coming from the rc program and related to tmp and pmcheck.out. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1223260 https://bugzilla.suse.com/show_bug.cgi?id=1223260#c7 --- Comment #7 from Felix Niederwanger <felix.niederwanger@suse.com> --- php still doesn't work on MicroOS with SELinux in enforcing mode:
type=PATH msg=audit(1716877644.953:46328): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.gliqVCgUQ/" inode=5698894 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877644.953:46328): avc: denied { add_name } for pid=18618 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877645.030:46342): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.IVIMGaQN1/" inode=5698895 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877645.030:46342): avc: denied { add_name } for pid=18652 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877645.503:46433): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.na2TBjy1B/" inode=5698906 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877645.503:46433): avc: denied { add_name } for pid=18736 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877645.593:46453): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.QFpncch3t/" inode=5698924 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877645.593:46453): avc: denied { add_name } for pid=18793 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877645.906:46514): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.yjgaR7N41/" inode=5698931 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877645.906:46514): avc: denied { add_name } for pid=18842 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877645.986:46529): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.d0H7AK6Ej/" inode=5698932 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877645.986:46529): avc: denied { add_name } for pid=18881 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877646.410:46616): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.ZjP5ELV8G/" inode=5698938 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877646.410:46616): avc: denied { add_name } for pid=18964 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877646.490:46630): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.fpcmZskk9/" inode=5698939 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877646.490:46630): avc: denied { add_name } for pid=18998 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877646.896:46718): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.DiHnsjgMm/" inode=5698946 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877646.896:46718): avc: denied { add_name } for pid=19076 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877646.966:46732): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.70UcJYJ37/" inode=5698947 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877646.966:46732): avc: denied { add_name } for pid=19111 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0 type=PATH msg=audit(1716877746.770:48967): item=1 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/tmp" inode=5699243 dev=00:26 mode=0100644 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1716877746.770:48967): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/" inode=5699242 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877746.770:48967): avc: denied { write open } for pid=22395 comm="rc" path="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/tmp" dev="vdb3" ino=5699243 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1716877746.770:48967): avc: denied { create } for pid=22395 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1716877746.770:48967): avc: denied { add_name } for pid=22395 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=1 type=PATH msg=audit(1716877746.780:48971): item=1 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/pcp.env.path" inode=5699244 dev=00:26 mode=0100644 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1716877746.780:48971): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/" inode=5699242 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877746.780:48971): avc: denied { append } for pid=22395 comm="rc" name="pcp.env.path" dev="vdb3" ino=5699244 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=1 type=PATH msg=audit(1716877746.790:48976): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/pcp.env.path" inode=5699244 dev=00:26 mode=0100644 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=AVC msg=audit(1716877746.790:48976): avc: denied { read } for pid=22424 comm="rc" name="pcp.env.path" dev="vdb3" ino=5699244 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=1
This is MicroOS on 20240524, so it should include https://build.opensuse.org/request/show/1174199 and it looks like the issue is only partially resolved. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1223260 https://bugzilla.suse.com/show_bug.cgi?id=1223260#c10 Rein Fernhout <rein+suse@purelymail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED CC| |rein+suse@purelymail.com --- Comment #10 from Rein Fernhout <rein+suse@purelymail.com> --- This bug still appears to be present. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com