1

My CentOS 7 VPS has SELinux enabled and is monitored by Collectd. It uses rrdtool to log the reported data. Pommi released a great solution that made me able to review all data on a webpage called CGP (http://pommi.nethuis.nl/collectd-graph-panel-v0-4/).

The RRD data is stored in /var/lib/collectd/my.host.name

drwxr-xr-x. root root system_u:object_r:collectd_var_lib_t:s0 my.host.name

When I open the CGP page it states Error: No Collectd hosts found in /var/lib/collectd/rrd but when I disable SELinux my host shows up and things work normally. The audit log shows:

The audit.log contains the following entries

type=AVC msg=audit(1410524820.750:15750): avc: denied { getattr } for pid=10468 comm="httpd" path="/var/lib/collectd/rrd" dev="dm-0" ino=72430599 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:collectd_var_lib_t:s0 tclass=dir

and

type=SYSCALL msg=audit(1410524820.750:15750): arch=c000003e syscall=4 success=no exit=-13 a0=7f093426da68 a1=7fff4fa46ae0 a2=7fff4fa46ae0 a3=1 items=0 ppid=10461 pid=10468 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

So I thought it would be sufficient to change the context of the /var/lib/collectd/rrd folder and contents to httpd_sys_content_t. Now CGP works and shows the host and stats. However, when I restart collectd and check the status it says:

Sep 12 14:31:31 my.host.name collectd[17910]: stat(/var/lib/collectd/rrd/my.host.name/memory/memory-cached.rrd) failed: Permission denied
Sep 12 14:31:31 my.host.name collectd[17910]: stat(/var/lib/collectd/rrd/my.host.name/memory/memory-free.rrd) failed: Permission denied
Sep 12 14:31:31 my.host.name collectd[17910]: Filter subsystem: Built-in target `write': Dispatching value to all write plugins failed with status -1.
Sep 12 14:31:31 my.host.name collectd[17910]: stat(/var/lib/collectd/rrd/my.host.name/interface-eth0/if_packets.rrd) failed: Permission denied
Sep 12 14:31:31 my.host.name collectd[17910]: Filter subsystem: Built-in target `write': Dispatching value to all write plugins failed with status -1.
Sep 12 14:31:31 my.host.name collectd[17910]: stat(/var/lib/collectd/rrd/my.host.name/interface-eth0/if_octets.rrd) failed: Permission denied
Sep 12 14:31:31 my.host.name collectd[17910]: Filter subsystem: Built-in target `write': Dispatching value to all write plugins failed with status -1.
Sep 12 14:31:31 my.host.name collectd[17910]: Filter subsystem: Built-in target `write': Dispatching value to all write plugins failed with status -1.
Sep 12 14:31:31 my.host.name collectd[17910]: stat(/var/lib/collectd/rrd/my.host.name/cpu-1/cpu-softirq.rrd) failed: Permission denied
Sep 12 14:31:31 my.host.name collectd[17910]: Filter subsystem: Built-in target `write': Dispatching value to all write plugins failed with status -1.

How can I set the security context so that both collectd AND httpd can access the content?

Tom
  • 123
  • 6

1 Answers1

4

You need to set up a selinux policy as described in the documentation

Here's the gist:

[root@collectd ~]# audit2allow -a


#============= httpd_t ==============

allow httpd_t collectd_var_lib_t:dir read;
allow httpd_t collectd_var_lib_t:file { read getattr open };

(this is the final iteration after running the next commands around 3 times and clicking around in CGP, since each iteration needed more access)

[root@collectd ~]# audit2allow -a -M cgp
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i cgp.pp

Run the command, rinse and repeat until you've hammered out all the permission issues.

Andrei Nistor
  • 176
  • 3