Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36293

SELinux prevents the collectd from using sys_ptrace in user namespaces

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • rhel-9.5
    • selinux-policy
    • None
    • sst_security_selinux
    • ssg_security
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Hide

      The collectd service does not trigger any SELinux denials when (re)started in the Testing Farm environment. The collectd service with the default configuration works as expected in enforcing mode.

      Show
      The collectd service does not trigger any SELinux denials when (re)started in the Testing Farm environment. The collectd service with the default configuration works as expected in enforcing mode.
    • Yes
    • Unspecified Release Note Type - Unknown
    • x86_64

      What were you trying to do that didn't work?

      Everything seems to work fine, but SELinux denials were triggered.

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.37-1.el9.noarch
      selinux-policy-targeted-38.1.37-1.el9.noarch
      collectd-5.12.0-24.el9.x86_64

      How reproducible:

      not sure

      Steps to reproduce

      1. get a RHEL-9.5 machine (the targeted policy is active)
      2. run the following automated test: /CoreOS/selinux-policy/Regression/collectd-and-similar
      3. search for SELinux denials

      Expected results

      no SELinux denials

      Actual results

      ----
type=PROCTITLE msg=audit(05/14/2024 05:47:14.491:7864) : proctitle=/usr/sbin/collectd 
type=SYSCALL msg=audit(05/14/2024 05:47:14.491:7864) : arch=x86_64 syscall=read success=yes exit=177 a0=0x7 a1=0x7fc5ec000d70 a2=0x400 a3=0x0 items=0 ppid=1 pid=866907 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=reader#0 exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null) 
type=AVC msg=audit(05/14/2024 05:47:14.491:7864) : avc:  denied  { sys_ptrace } for  pid=866907 comm=reader#0 capability=sys_ptrace  scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:system_r:collectd_t:s0 tclass=cap_userns permissive=0 
----

            rhn-support-zpytela Zdenek Pytela
            mmalik@redhat.com Milos Malik
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: