677024 – dev-python/carbon-1.1.5 missing collectd_port_t for port 2003 and 2004

Bug 677024 - dev-python/carbon-1.1.5 missing collectd_port_t for port 2003 and 2004

Summary: dev-python/carbon-1.1.5 missing collectd_port_t for port 2003 and 2004

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:	PMASKED

Depends on:
Blocks:

Reported:	2019-02-01 01:18 UTC by Philippe Trottier
Modified:	2024-04-23 15:00 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Workaround policies (carbon.te,232 bytes, text/plain) 2019-02-01 03:08 UTC, Philippe Trottier	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philippe Trottier 2019-02-01 01:18:36 UTC

emerge carbon-1.1.5 with collectd and graphite

setenforce 0 works well
setenforce 1 will stop with a permission denied

-------- avc ------------------

an 31 20:11:45 bismuth kernel: [ 2653.979862] audit: type=1400 audit(1548983505.623:13617): avc:  denied  { name_bind } for  pid=6048 comm="carbon-aggregat" src=2023 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=0


------ logs ----------------


/etc/init.d/carbon-aggregator start
Authenticating root.
Password: 
 * Starting carbon-aggregator instance a ...
31/01/2019 20:14:08 :: Using sorted write strategy for cache

==> /var/log/carbon/aggregator.log <==
31/01/2019 20:14:08 :: reading new aggregation rules from /etc/carbon/aggregation-rules.conf
31/01/2019 20:14:08 :: clearing aggregation buffers

==> /var/log/carbon/clients.log <==
31/01/2019 20:14:08 :: connecting to carbon daemon at 127.0.0.1:2004:None

==> /var/log/carbon/console.log <==
31/01/2019 20:14:08 :: twistd 16.6.0 (/usr/bin/python2.7 2.7.15) starting up.
31/01/2019 20:14:08 :: reactor class: twisted.internet.epollreactor.EPollReactor.
31/01/2019 20:14:08 :: Starting factory CarbonClientFactory(127.0.0.1:2004:None)

==> /var/log/carbon/clients.log <==
31/01/2019 20:14:08 :: CarbonClientFactory(127.0.0.1:2004:None)::startedConnecting (127.0.0.1:2004)
An error has occurred: b'error: [Errno 13] Permission denied'
Please look at log file for more information.

==> /var/log/carbon/console.log <==
31/01/2019 20:14:08 :: Traceback (most recent call last):
31/01/2019 20:14:08 ::   File "/usr/lib/python-exec/python2.7/carbon-aggregator.py", line 32, in <module>
31/01/2019 20:14:08 ::     run_twistd_plugin(__file__)
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/site-packages/carbon/util.py", line 140, in run_twistd_plugin
31/01/2019 20:14:08 ::     runApp(config)
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/site-packages/twisted/scripts/twistd.py", line 25, in runApp
31/01/2019 20:14:08 ::     _SomeApplicationRunner(config).run()
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 383, in run
31/01/2019 20:14:08 ::     self.postApplication()
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/site-packages/twisted/scripts/_twistd_unix.py", line 248, in postApplication
31/01/2019 20:14:08 ::     self.startApplication(self.application)
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/site-packages/twisted/scripts/_twistd_unix.py", line 444, in startApplication
31/01/2019 20:14:08 ::     app.startApplication(application, not self.config['no_save'])
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 664, in startApplication
31/01/2019 20:14:08 ::     service.IService(application).startService()
 * start-stop-daemon: failed to start `/usr/bin/carbon-aggregator.py'
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/site-packages/twisted/application/service.py", line 283, in startService
31/01/2019 20:14:08 ::     service.startService()
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/site-packages/twisted/application/service.py", line 283, in startService
31/01/2019 20:14:08 ::     service.startService()
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/site-packages/carbon/protocols.py", line 76, in startService
31/01/2019 20:14:08 ::     carbon_sock.bind((self.interface, self.port))
31/01/2019 20:14:08 ::   File "/usr/lib64/python2.7/socket.py", line 228, in meth
31/01/2019 20:14:08 ::     return getattr(self._sock,name)(*args)
31/01/2019 20:14:08 :: socket.error: [Errno 13] Permission denied
 * Failed to start carbon-aggregator                                                      [ !! ]
 * ERROR: carbon-aggregator failed to start

I know how to fix it by hand, but I have no clue how to package it in a sec-policy/selinux-carbon (yet) looking into it now

Comment 1 Philippe Trottier 2019-02-01 02:46:27 UTC

Correction here, these belong to the carbon-aggregate -cache -relay init scripts

so I guess a better way to deal with it is to create a 

carbon_t , maybe a carbon_port_t 

Or bag all of these under collectd ? But collectd doesn't have a type either...

This is my lame beginning into the policy world.

policy_module(carbon, 1.1.5)

type carbon_t;
type carbon_exec_t;
init_daemon_domain(carbon_t, carbon_exec_t)

type carbon_initrc_exec_t;
init_script_file(carbon_initrc_exec_t)

allow carbon_t self:packet_socket create_socket_perms;
allow carbon_t self:rawip_socket create_socket_perms;
allow carbon_t self:unix_stream_socket { accept listen };

Comment 2 Philippe Trottier 2019-02-01 03:08:48 UTC

Created attachment 563400 [details]
Workaround policies

This is not a proper policy file but it works 
audit2allow -i carbon-audit
edit and add header and types
setenforce 0
make -f /usr/share/selinux/strict/include/Makefile carbon.te all
semodule -i carbon.pp
setenforce 1

Working...