Bug 1223260

Summary: SELinux denies pcp
Product: [openSUSE] openSUSE Tumbleweed Reporter: Felix Niederwanger <felix.niederwanger>
Component: SecurityAssignee: David Disseldorp <ddiss>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: cathy.hu, ddiss, filippo.bonazzi
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: ausearch -ts boot -m avc

Description Felix Niederwanger 2024-04-22 13:20:52 UTC 
Created attachment 874416 [details]
ausearch -ts boot -m avc

On MicroOS starting pmlogger with SELinux in enforcing mode fails with several SELinux related denials

> Apr 22 13:14:01 microos systemd[1]: Starting Performance Metrics Archive Logger...
> Apr 22 13:14:01 microos rc[2682]: /etc/pcp/pmlogger/rc: line 153: /var/lib/pcp/tmp/pmlogger_rc.d9N3i7aLW/tmp: Permission denied
> Apr 22 13:14:01 microos rc[2750]: /etc/pcp/pmlogger/rc: line 92: /var/lib/pcp/tmp/pmlogger_rc_start.7vdZJLmGN/pmcheck.out: Permission denied
> Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Main process exited, code=exited, status=1/FAILURE
> Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Failed with result 'exit-code'.
> Apr 22 13:14:01 microos systemd[1]: Failed to start Performance Metrics Archive Logger.
> Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Scheduled restart job, restart counter is at 1.
> Apr 22 13:14:01 microos systemd[1]: Stopped Performance Metrics Archive Logger.
> Apr 22 13:14:01 microos systemd[1]: Starting Performance Metrics Archive Logger...
> Apr 22 13:14:01 microos rc[2958]: /etc/pcp/pmlogger/rc: line 153: /var/lib/pcp/tmp/pmlogger_rc.yWYJd9JBe/tmp: Permission denied
> Apr 22 13:14:01 microos rc[2991]: /etc/pcp/pmlogger/rc: line 92: /var/lib/pcp/tmp/pmlogger_rc_start.OcmNVcLdA/pmcheck.out: Permission denied
> Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Main process exited, code=exited, status=1/FAILURE
> Apr 22 13:14:01 microos systemd[1]: pmlogger.service: Failed with result 'exit-code'.
> Apr 22 13:14:01 microos systemd[1]: Failed to start Performance Metrics Archive Logger.
> ...

I'm attaching the output of ausearch -ts boot -m avc, failures are coming from the rc program and related to tmp and pmcheck.out.
Comment 1 Filippo Bonazzi 2024-04-23 08:17:41 UTC 
The first two attached AVCs are related to another issue:

----
time->Mon Apr 22 13:13:58 2024
type=AVC msg=audit(1713791638.806:489): avc:  denied  { map_read map_write } for  pid=2439 comm="systemd-fstab-g" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
----
time->Mon Apr 22 13:13:58 2024
type=AVC msg=audit(1713791638.809:490): avc:  denied  { map_read map_write } for  pid=2445 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0

Already fixed in bug 1222736.

The rest are related to the PCP/pmlogger issue described here, we will look into this.
Comment 2 Felix Niederwanger 2024-04-24 06:07:21 UTC 
(In reply to Filippo Bonazzi from comment #1)
> The first two attached AVCs are related to another issue:
> 
> ----
> time->Mon Apr 22 13:13:58 2024
> type=AVC msg=audit(1713791638.806:489): avc:  denied  { map_read map_write }
> for  pid=2439 comm="systemd-fstab-g"
> scontext=system_u:system_r:systemd_fstab_generator_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
> ----
> time->Mon Apr 22 13:13:58 2024
> type=AVC msg=audit(1713791638.809:490): avc:  denied  { map_read map_write }
> for  pid=2445 comm="systemd-gpt-aut"
> scontext=system_u:system_r:systemd_gpt_generator_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
> 
> Already fixed in bug 1222736.
> 
> The rest are related to the PCP/pmlogger issue described here, we will look
> into this.

Thank you Filippo!
Comment 3 Cathy Hu 2024-05-14 11:38:51 UTC 
pcp seems to ship an upstream selinux module, which fixes these issues. In the pcp specfile this module could be enabled for factory/microos/SLM/SLFO.

i will send a request to pcp enabling the module, ccing @ddiss as pcp maintainer for objections
Comment 4 David Disseldorp 2024-05-14 11:49:49 UTC 
(In reply to Cathy Hu from comment #3)
> pcp seems to ship an upstream selinux module, which fixes these issues. In
> the pcp specfile this module could be enabled for factory/microos/SLM/SLFO.
> 
> i will send a request to pcp enabling the module, ccing @ddiss as pcp
> maintainer for objections

Thanks Cathy! I'm fine with having it enabled. Do you expect the selinux module to work on all releases, or could there be incompat problems for older kernels, etc.?
Comment 5 Cathy Hu 2024-05-14 12:30:00 UTC 
hmm i think it should work on all 0%{?suse_version} >= 1600... for older stuff i would not enable it
Comment 6 Cathy Hu 2024-05-15 10:26:15 UTC 
i am not too deep into the pcp packaging, so please feel free to point out issues in the SR :)
https://build.opensuse.org/request/show/1174199
Comment 7 Felix Niederwanger 2024-05-28 06:31:30 UTC 
php still doesn't work on MicroOS with SELinux in enforcing mode:

> type=PATH msg=audit(1716877644.953:46328): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.gliqVCgUQ/" inode=5698894 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877644.953:46328): avc:  denied  { add_name } for  pid=18618 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877645.030:46342): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.IVIMGaQN1/" inode=5698895 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877645.030:46342): avc:  denied  { add_name } for  pid=18652 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877645.503:46433): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.na2TBjy1B/" inode=5698906 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877645.503:46433): avc:  denied  { add_name } for  pid=18736 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877645.593:46453): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.QFpncch3t/" inode=5698924 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877645.593:46453): avc:  denied  { add_name } for  pid=18793 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877645.906:46514): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.yjgaR7N41/" inode=5698931 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877645.906:46514): avc:  denied  { add_name } for  pid=18842 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877645.986:46529): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.d0H7AK6Ej/" inode=5698932 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877645.986:46529): avc:  denied  { add_name } for  pid=18881 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877646.410:46616): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.ZjP5ELV8G/" inode=5698938 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877646.410:46616): avc:  denied  { add_name } for  pid=18964 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877646.490:46630): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.fpcmZskk9/" inode=5698939 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877646.490:46630): avc:  denied  { add_name } for  pid=18998 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877646.896:46718): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.DiHnsjgMm/" inode=5698946 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877646.896:46718): avc:  denied  { add_name } for  pid=19076 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877646.966:46732): item=0 name="/var/lib/pcp/tmp/pmlogger_rc_start.70UcJYJ37/" inode=5698947 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877646.966:46732): avc:  denied  { add_name } for  pid=19111 comm="rc" name="pmcheck.out" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=0
> type=PATH msg=audit(1716877746.770:48967): item=1 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/tmp" inode=5699243 dev=00:26 mode=0100644 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(1716877746.770:48967): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/" inode=5699242 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877746.770:48967): avc:  denied  { write open } for  pid=22395 comm="rc" path="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/tmp" dev="vdb3" ino=5699243 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1716877746.770:48967): avc:  denied  { create } for  pid=22395 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1716877746.770:48967): avc:  denied  { add_name } for  pid=22395 comm="rc" name="tmp" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=dir permissive=1
> type=PATH msg=audit(1716877746.780:48971): item=1 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/pcp.env.path" inode=5699244 dev=00:26 mode=0100644 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(1716877746.780:48971): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/" inode=5699242 dev=00:26 mode=040700 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=AVC msg=audit(1716877746.780:48971): avc:  denied  { append } for  pid=22395 comm="rc" name="pcp.env.path" dev="vdb3" ino=5699244 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=1
> type=PATH msg=audit(1716877746.790:48976): item=0 name="/var/lib/pcp/tmp/pmlogger_rc.OAuW8acVJ/pcp.env.path" inode=5699244 dev=00:26 mode=0100644 ouid=472 ogid=472 rdev=00:00 obj=system_u:object_r:pcp_var_lib_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=AVC msg=audit(1716877746.790:48976): avc:  denied  { read } for  pid=22424 comm="rc" name="pcp.env.path" dev="vdb3" ino=5699244 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pcp_var_lib_t:s0 tclass=file permissive=1

This is MicroOS on 20240524, so it should include https://build.opensuse.org/request/show/1174199 and it looks like the issue is only partially resolved.
Comment 8 Cathy Hu 2024-05-28 07:54:52 UTC 
will have another look, thanks for testing!
Comment 9 Cathy Hu 2024-05-28 14:26:44 UTC 
hmm, maybe i am missing something, but i don't think the changes are in factory yet, i only see them in Base:System/pcp.

see diff between Base:System/pcp and factory: https://build.opensuse.org/package/rdiff/Base:System/pcp?opackage=pcp&oproject=openSUSE%3AFactory&rev=139

the fix is in the newly introduced pcp-selinux package which i can not find yet in factory yet

setting @ddiss as assignee to submit to factory, please feel free to assign back to me if i misunderstood or it is still broken after that

thanks :)