commit d7679bd7cbb94692250a450bccf9f01cb982467f Author: Mark Goodwin Date: Fri Feb 12 10:12:59 2021 +1100 selinux, qa: allow pmcd to use netlink_tcpdiag_socket for sockets PMDA Add SELinux rules allowing pmcd to create, setopt, bind, getattr and nlmsg_read to netlink tcpdiag sockets. Needed by pmdasockets. Update qa/1622 and 917. Resolves: RHBZ#1926756 diff --git a/qa/1622 b/qa/1622 index 83f260d6d..f62b5f89a 100755 --- a/qa/1622 +++ b/qa/1622 @@ -216,6 +216,11 @@ type=AVC msg=audit(XXX.62): avc: denied { getattr open read } for pid=YYYY co type=AVC msg=audit(XXX.63): avc: denied { connectto } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:saslauthd_t:s0 tclass=unix_stream_socket permissive=0 type=AVC msg=audit(XXX.66): avc: denied { sys_rawio } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmcd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(XXX.67): avc: denied { module_request } for pid=YYYY comm="pmdalinux" kmod="netdev-tun0" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 +type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 +type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 +type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 +type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 +type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 EOF echo "Silence is golden ... all AVC's are allowed by active policy" diff --git a/qa/917.out.in b/qa/917.out.in index 69c3b2d12..ddec57f9c 100644 --- a/qa/917.out.in +++ b/qa/917.out.in @@ -125,6 +125,7 @@ Checking policies. allow [pcp_pmcd_t] [drbd_exec_t] : [file] { execute execute_no_trans }; allow [pcp_pmcd_t] self : [netlink_generic_socket] { bind create getattr setopt write read }; allow [pcp_pmcd_t] [sbd_exec_t] : [file] { execute execute_no_trans }; + allow [pcp_pmcd_t] self : [netlink_tcpdiag_socket] { bind create getattr nlmsg_read setopt }; allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl }; allow [pcp_pmcd_t] [shadow_t] : [file] { getattr ioctl lock open read }; allow [pcp_pmie_t] [etc_t] : [dir] { open read search getattr lock ioctl }; diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs index 30b67d907..cbfa34c14 100644 --- a/src/selinux/GNUlocaldefs +++ b/src/selinux/GNUlocaldefs @@ -118,5 +118,7 @@ endif ifeq "$(PCP_SELINUX_NETLINK_GENERIC_SOCKET_CLASS)" "true" PCP_NETLINK_GENERIC_SOCKET_CLASS="class netlink_generic_socket { bind create getattr setopt write read };" +PCP_NETLINK_TCPDIAG_SOCKET_CLASS="class netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };" PCP_NETLINK_GENERIC_SOCKET_RULE="allow pcp_pmcd_t self:netlink_generic_socket { bind create getattr setopt write read };" +PCP_NETLINK_TCPDIAG_SOCKET_RULE="allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };" endif diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile index e16859d7e..d04644fcb 100644 --- a/src/selinux/GNUmakefile +++ b/src/selinux/GNUmakefile @@ -80,6 +80,8 @@ $(IAM).te: $(IAM).te.in -e 's+@PCP_ICMP_SOCKET_RULE@+'$(PCP_ICMP_SOCKET_RULE)'+' \ -e 's+@PCP_NETLINK_GENERIC_SOCKET_CLASS@+'$(PCP_NETLINK_GENERIC_SOCKET_CLASS)'+' \ -e 's+@PCP_NETLINK_GENERIC_SOCKET_RULE@+'$(PCP_NETLINK_GENERIC_SOCKET_RULE)'+' \ + -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_CLASS@+'$(PCP_NETLINK_TCPDIAG_SOCKET_CLASS)'+' \ + -e 's+@PCP_NETLINK_TCPDIAG_SOCKET_RULE@+'$(PCP_NETLINK_TCPDIAG_SOCKET_RULE)'+' \ -e 's+@PCP_SELINUX_MACRO_RULE@+'$(PCP_SELINUX_MACRO_RULE)'+' \ -e 's+@PACKAGE_VERSION@+'$(PACKAGE_VERSION)'+' \ diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in index 36a043be1..d935aee36 100644 --- a/src/selinux/pcpupstream.te.in +++ b/src/selinux/pcpupstream.te.in @@ -90,6 +90,7 @@ require { @PCP_BPF_CLASS@ class system { module_request }; @PCP_NETLINK_GENERIC_SOCKET_CLASS@ + @PCP_NETLINK_TCPDIAG_SOCKET_CLASS@ } #============= init_t ============== @@ -423,3 +424,11 @@ allow pcp_pmcd_t drbd_exec_t:file { execute execute_no_trans }; # pmda-hacluster requirements for checking sbd # type=AVC msg=audit(XXX.81): avc: denied { execute_no_trans } for pid=421434 comm="sh" path="/usr/sbin/sbd" dev="vda1" ino=1050019 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sbd_exec_t:s0 tclass=file permissive=1 @PCP_SBD_EXEC_RULE@ + +#=========== pmda-sockets ============ +# type=AVC msg=audit(XXX.85): avc: denied { create } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 +# type=AVC msg=audit(XXX.86): avc: denied { setopt } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 +# type=AVC msg=audit(XXX.87): avc: denied { bind } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 +# type=AVC msg=audit(XXX.88): avc: denied { getattr } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 +# type=AVC msg=audit(XXX.89): avc: denied { nlmsg_read } for pid=YYYY comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=1 +@PCP_NETLINK_TCPDIAG_SOCKET_RULE@ commit a49772607d80b25b2ae4b8764be709bb27d7e16f Author: Mark Goodwin Date: Fri Feb 12 10:09:23 2021 +1100 pmdasockets: minor changes to Install and Remove, add -U username Specify pmns_name in Install and Remove scripts since the pmda name differs to the namespace. Add -U username for optional use when run as a daemon. diff --git a/src/pmdas/linux_sockets/GNUmakefile b/src/pmdas/linux_sockets/GNUmakefile index 34897f2e9..a32987ef7 100644 --- a/src/pmdas/linux_sockets/GNUmakefile +++ b/src/pmdas/linux_sockets/GNUmakefile @@ -31,7 +31,7 @@ HFILES = indom.h cluster.h ss_stats.h LLDLIBS = $(PCP_PMDALIB) LCFLAGS = $(INVISIBILITY) -SCRIPTS = Install Remove +SCRIPTS = Install Remove Upgrade VERSION_SCRIPT = exports LDIRT = domain.h $(VERSION_SCRIPT) $(IAM).log diff --git a/src/pmdas/linux_sockets/Install b/src/pmdas/linux_sockets/Install index 4bc934c96..28d7c7f9e 100755 --- a/src/pmdas/linux_sockets/Install +++ b/src/pmdas/linux_sockets/Install @@ -1,4 +1,4 @@ -#! /bin/sh +#!/usr/bin/sh # # Copyright (c) 2021 Red Hat. # @@ -25,6 +25,8 @@ dso_opt=true pipe_opt=false daemon_opt=false +pmns_name=network.persocket # differs to PMDA name + which ss >/dev/null 2>&1 if [ $? -ne 0 ] then diff --git a/src/pmdas/linux_sockets/Remove b/src/pmdas/linux_sockets/Remove index 26edc85aa..3fee6a0e6 100755 --- a/src/pmdas/linux_sockets/Remove +++ b/src/pmdas/linux_sockets/Remove @@ -1,4 +1,4 @@ -#! /bin/sh +#!/usr/bin/sh # # Copyright (c) 2021 Red Hat. # @@ -19,6 +19,7 @@ . $PCP_SHARE_DIR/lib/pmdaproc.sh iam=sockets +pmns_name=network.persocket # differs to PMDA name pmdaSetup pmdaRemove diff --git a/src/pmdas/linux_sockets/pmda.c b/src/pmdas/linux_sockets/pmda.c index 9bca5d9d0..fab4be290 100644 --- a/src/pmdas/linux_sockets/pmda.c +++ b/src/pmdas/linux_sockets/pmda.c @@ -23,6 +23,7 @@ #include "ss_stats.h" static int _isDSO = 1; /* for local contexts */ +static char *username; /* metrics supported in this PMDA - see metrictab.c */ extern pmdaMetric metrictable[]; @@ -200,6 +201,8 @@ sockets_init(pmdaInterface *dp) pmGetConfig("PCP_PMDAS_DIR"), sep, sep); pmdaDSO(dp, PMDA_INTERFACE_7, "SOCKETS DSO", helppath); } + else + pmSetProcessIdentity(username); if (dp->status != 0) return; @@ -227,12 +230,13 @@ static pmLongOptions longopts[] = { PMOPT_DEBUG, PMDAOPT_DOMAIN, PMDAOPT_LOGFILE, + PMDAOPT_USERNAME, PMOPT_HELP, PMDA_OPTIONS_END }; static pmdaOptions opts = { - .short_options = "D:d:l:?", + .short_options = "D:d:l:U:?", .long_options = longopts, }; @@ -248,6 +252,7 @@ main(int argc, char **argv) _isDSO = 0; pmSetProgname(argv[0]); + pmGetUsername(&username); pmsprintf(helppath, sizeof(helppath), "%s%c" "sockets" "%c" "help", pmGetConfig("PCP_PMDAS_DIR"), sep, sep); pmdaDaemon(&dispatch, PMDA_INTERFACE_7, pmGetProgname(), SOCKETS, "sockets.log", helppath); @@ -257,6 +262,8 @@ main(int argc, char **argv) pmdaUsageMessage(&opts); exit(1); } + if (opts.username) + username = opts.username; pmdaOpenLog(&dispatch); sockets_init(&dispatch);