emerge carbon-1.1.5 with collectd and graphite setenforce 0 works well setenforce 1 will stop with a permission denied -------- avc ------------------ an 31 20:11:45 bismuth kernel: [ 2653.979862] audit: type=1400 audit(1548983505.623:13617): avc: denied { name_bind } for pid=6048 comm="carbon-aggregat" src=2023 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=0 ------ logs ---------------- /etc/init.d/carbon-aggregator start Authenticating root. Password: * Starting carbon-aggregator instance a ... 31/01/2019 20:14:08 :: Using sorted write strategy for cache ==> /var/log/carbon/aggregator.log <== 31/01/2019 20:14:08 :: reading new aggregation rules from /etc/carbon/aggregation-rules.conf 31/01/2019 20:14:08 :: clearing aggregation buffers ==> /var/log/carbon/clients.log <== 31/01/2019 20:14:08 :: connecting to carbon daemon at 127.0.0.1:2004:None ==> /var/log/carbon/console.log <== 31/01/2019 20:14:08 :: twistd 16.6.0 (/usr/bin/python2.7 2.7.15) starting up. 31/01/2019 20:14:08 :: reactor class: twisted.internet.epollreactor.EPollReactor. 31/01/2019 20:14:08 :: Starting factory CarbonClientFactory(127.0.0.1:2004:None) ==> /var/log/carbon/clients.log <== 31/01/2019 20:14:08 :: CarbonClientFactory(127.0.0.1:2004:None)::startedConnecting (127.0.0.1:2004) An error has occurred: b'error: [Errno 13] Permission denied' Please look at log file for more information. ==> /var/log/carbon/console.log <== 31/01/2019 20:14:08 :: Traceback (most recent call last): 31/01/2019 20:14:08 :: File "/usr/lib/python-exec/python2.7/carbon-aggregator.py", line 32, in <module> 31/01/2019 20:14:08 :: run_twistd_plugin(__file__) 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/site-packages/carbon/util.py", line 140, in run_twistd_plugin 31/01/2019 20:14:08 :: runApp(config) 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/site-packages/twisted/scripts/twistd.py", line 25, in runApp 31/01/2019 20:14:08 :: _SomeApplicationRunner(config).run() 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 383, in run 31/01/2019 20:14:08 :: self.postApplication() 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/site-packages/twisted/scripts/_twistd_unix.py", line 248, in postApplication 31/01/2019 20:14:08 :: self.startApplication(self.application) 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/site-packages/twisted/scripts/_twistd_unix.py", line 444, in startApplication 31/01/2019 20:14:08 :: app.startApplication(application, not self.config['no_save']) 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 664, in startApplication 31/01/2019 20:14:08 :: service.IService(application).startService() * start-stop-daemon: failed to start `/usr/bin/carbon-aggregator.py' 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/site-packages/twisted/application/service.py", line 283, in startService 31/01/2019 20:14:08 :: service.startService() 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/site-packages/twisted/application/service.py", line 283, in startService 31/01/2019 20:14:08 :: service.startService() 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/site-packages/carbon/protocols.py", line 76, in startService 31/01/2019 20:14:08 :: carbon_sock.bind((self.interface, self.port)) 31/01/2019 20:14:08 :: File "/usr/lib64/python2.7/socket.py", line 228, in meth 31/01/2019 20:14:08 :: return getattr(self._sock,name)(*args) 31/01/2019 20:14:08 :: socket.error: [Errno 13] Permission denied * Failed to start carbon-aggregator [ !! ] * ERROR: carbon-aggregator failed to start I know how to fix it by hand, but I have no clue how to package it in a sec-policy/selinux-carbon (yet) looking into it now
Correction here, these belong to the carbon-aggregate -cache -relay init scripts so I guess a better way to deal with it is to create a carbon_t , maybe a carbon_port_t Or bag all of these under collectd ? But collectd doesn't have a type either... This is my lame beginning into the policy world. policy_module(carbon, 1.1.5) type carbon_t; type carbon_exec_t; init_daemon_domain(carbon_t, carbon_exec_t) type carbon_initrc_exec_t; init_script_file(carbon_initrc_exec_t) allow carbon_t self:packet_socket create_socket_perms; allow carbon_t self:rawip_socket create_socket_perms; allow carbon_t self:unix_stream_socket { accept listen };
Created attachment 563400 [details] Workaround policies This is not a proper policy file but it works audit2allow -i carbon-audit edit and add header and types setenforce 0 make -f /usr/share/selinux/strict/include/Makefile carbon.te all semodule -i carbon.pp setenforce 1 Working...