collectd not able to mount cvmfs if selinux is in place

traylenator commented 6 years ago

Version python2-collectd_cvmfs-1.0.2-1.el7.1
CentOS 7
cvmfs-2.4.4-1.el7.centos

We will need some extra seliinux permissions to allow collectd service to access cvmfs.

# grep avc /var/log/audit/audit.log | audit2allow   -a
#============= collectd_t ==============
allow collectd_t fusefs_t:dir read;

and probably others once mounted.

traylenator commented 6 years ago

module collectd_cvmfs 1.0;

require {
        type collectd_t;
        type fusefs_t;
        class dir read;
}

but not the whole story. I now see

[2018-07-04 14:37:28] cvmfs: failed to get MountTime for repo cms.cern.ch

but no avc records.,..

luisfdez commented 6 years ago

policy_module(collectdcvmfs 1.2);

gen_require(`
    type collectd_t;
    type fusefs_t;
    class dir { read };
')

allow collectd_t fusefs_t:dir { read };

That works for me if all the config is set (including pointing to the typedb).

Enabling dontaudit rules I see as well:

type=AVC msg=audit(1531298857.953:511): avc:  denied  { read } for  pid=18741 comm="collectd" path="/var/db/nscd/hosts" dev="vda1" ino=25798084 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=file

But I think that one is not connected to this use case.

cvmfs / collectd-cvmfs

collectd not able to mount cvmfs if selinux is in place #5