Does the ansible-pcp playbooks handle any SELinux setup?

[portante]

We reviewed SETroubleShoot output and were told we need to add, setsebool -P pcp_read_generic_logs 1 to our setup. Is there a playbook that would handle this and other settings?

[inntran]

More logs from setroubshoot:

Jan 28 19:11:03 a-random-hostname setroubleshoot[512226]: SELinux is preventing /usr/sbin/rsyslogd from 'read, write' accesses on the fifo_file stats. For complete SELinux messages run: sealert -l 2850c443-bf2e-492e-b49c-12f42f01a289
Jan 28 19:11:03 a-random-hostname setroubleshoot[512226]: SELinux is preventing /usr/sbin/rsyslogd from 'read, write' accesses on the fifo_file stats.

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that rsyslogd should be allowed read write access on the stats fifo_file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'rs:main Q:Reg' --raw | audit2allow -M my-rsmainQReg
    # semodule -X 300 -i my-rsmainQReg.pp
                                                                                           
Jan 28 19:11:03 a-random-hostname setroubleshoot[512226]: AnalyzeThread.run(): Set alarm timeout to 10
Jan 28 19:11:08 a-random-hostname setroubleshoot[512226]: AnalyzeThread.run(): Cancel pending alarm
Jan 28 19:11:08 a-random-hostname setroubleshoot[512226]: SELinux is preventing /usr/sbin/ss from create access on the netlink_tcpdiag_socket labeled pcp_pmcd_t. For complete SELinux messages run: sealert -l 3a4ff71a-be92-4c5a-b31d-c80da1f22ca2
Jan 28 19:11:08 a-random-hostname setroubleshoot[512226]: SELinux is preventing /usr/sbin/ss from create access on the netlink_tcpdiag_socket labeled pcp_pmcd_t.

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that ss should be allowed create access on netlink_tcpdiag_socket labeled pcp_pmcd_t by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'ss' --raw | audit2allow -M my-ss
    # semodule -X 300 -i my-ss.pp

PCP on this host was set up with https://github.com/performancecopilot/ansible-pcp , running on RHEL 8.5

[portante]

Also seeing tons of:

SELinux is preventing /usr/libexec/pcp/pmdas/linux/pmdalinux from read access on the file mdadm.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pmdalinux should be allowed read access on the mdadm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pmdalinux' --raw | audit2allow -M my-pmdalinux
# semodule -X 300 -i my-pmdalinux.pp

[portante]

We are also unable to use PCP's pmproxy without moving to permissive mode for SELinux.

Jan 29 01:02:50 intlabproxy-004 setroubleshoot[5275]: SELinux is preventing /usr/libexec/pcp/bin/pmproxy from read access on the file disable_ipv6. For complete SELinux messages run: sealert -l 78eafcad-8d1a-4eb5-a90f-247561775c55
Jan 29 01:02:50 intlabproxy-004 setroubleshoot[5275]: SELinux is preventing /usr/libexec/pcp/bin/pmproxy from read access on the file disable_ipv6.

                                                                                              *****  Plugin catchall (100. confidence) suggests   **************************

                                                                                              If you believe that pmproxy should be allowed read access on the disable_ipv6 file by default.
                                                                                              Then you should report this as a bug.
                                                                                              You can generate a local policy module to allow this access.
                                                                                              Do
                                                                                              allow this access for now by executing:
                                                                                              # ausearch -c 'pmproxy' --raw | audit2allow -M my-pmproxy
                                                                                              # semodule -X 300 -i my-pmproxy.pp

Jan 29 01:02:50 intlabproxy-004 setroubleshoot[5275]: SELinux is preventing /usr/libexec/pcp/bin/pmproxy from using the dac_override capability. For complete SELinux messages run: sealert -l b5ee9d0b-62d4-4822-82ca-697387d27da3
Jan 29 01:02:50 intlabproxy-004 setroubleshoot[5275]: SELinux is preventing /usr/libexec/pcp/bin/pmproxy from using the dac_override capability.

                                                                                              *****  Plugin dac_override (91.4 confidence) suggests   **********************

                                                                                              If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
                                                                                              Then turn on full auditing to get path information about the offending file and generate the error again.
                                                                                              Do

                                                                                              Turn on full auditing
                                                                                              # auditctl -w /etc/shadow -p w
                                                                                              Try to recreate AVC. Then execute
                                                                                              # ausearch -m avc -ts recent
                                                                                              If you see PATH record check ownership/permissions on file, and fix it,
                                                                                              otherwise report as a bugzilla.

                                                                                              *****  Plugin catchall (9.59 confidence) suggests   **************************

                                                                                              If you believe that pmproxy should have the dac_override capability by default.
                                                                                              Then you should report this as a bug.
                                                                                              You can generate a local policy module to allow this access.
                                                                                              Do
                                                                                              allow this access for now by executing:
                                                                                              # ausearch -c 'pmproxy' --raw | audit2allow -M my-pmproxy
                                                                                              # semodule -X 300 -i my-pmproxy.pp

[natoscott]

@portante @inntran it sounds like something catastrophic has happened - maybe pcp-selinux has failed to install the PCP policy entirely...? Were there any errors during the install?

[portante]

All this was executed via ansible-pcp and the playbook invoking the role did not report failure.

[natoscott]

Hmm, not sure exactly what's happened then. FWIW the mdadm and disabled_ipv6 permissions are definitely things that have been provided by pcp-selinux policy for some time (maybe years, even?), which is what makes me think this is a more major kind of failing rather than just a missing selinux policy permission or two.

[portante]

I ran dnf reinstall pcp-selinux:

[root@intlabproxy-004 redis]# dnf reinstall pcp-selinux
Updating Subscription Management repositories.
Last metadata expiration check: 3:17:49 ago on Tue 01 Feb 2022 12:16:04 AM UTC.
Dependencies resolved.
===========================================================================================================================================================================
 Package                                  Architecture                        Version                                 Repository                                      Size
===========================================================================================================================================================================
Reinstalling:
 pcp-selinux                              x86_64                              5.3.5-1                                 performancecpilot                               27 k

Transaction Summary
===========================================================================================================================================================================

Total download size: 27 k
Installed size: 156 k
Is this ok [y/N]: y
Downloading Packages:
pcp-selinux-5.3.5-1.x86_64.rpm                                                                                                             180 kB/s |  27 kB     00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                      178 kB/s |  27 kB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                   1/1
  Reinstalling     : pcp-selinux-5.3.5-1.x86_64                                                                                                                        1/2
  Running scriptlet: pcp-selinux-5.3.5-1.x86_64                                                                                                                        1/2
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/pcpupstream/cil:43
semodule:  Failed!

  Running scriptlet: pcp-selinux-5.3.5-1.x86_64                                                                                                                        2/2
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/pcpupstream/cil:43
semodule:  Failed!

  Cleanup          : pcp-selinux-5.3.5-1.x86_64                                                                                                                        2/2
  Running scriptlet: pcp-selinux-5.3.5-1.x86_64                                                                                                                        2/2
  Verifying        : pcp-selinux-5.3.5-1.x86_64                                                                                                                        1/2
  Verifying        : pcp-selinux-5.3.5-1.x86_64                                                                                                                        2/2
Installed products updated.

Reinstalled:
  pcp-selinux-5.3.5-1.x86_64

Complete!

[portante]

This is partially fixed by performancecopilot/pcp#1527, but the ansible playbook needs to check that all the expected SELinux modules were properly loaded.