Why does SELinux prevent /usr/sbin/collectd from using the setgid capability?
Issue
- SELinux is preventing
/usr/sbin/collectdfrom using thesetgid capability. - Have a simple
collectd "exec" pluginthatgrepsMemAvailableout of/proc/meminfo. - On Red Hat Enterprise Linux 7.2 with
selinuxinEnforcingmode, the plugin doesn't produce data, and this message is logged repeatedly insyslog:
collectd[12918]: exec plugin: setgid (99) failed: Operation not permitted
setroubleshoot: SELinux is preventing /usr/sbin/collectd from using the setgid capability. For complete SELinux messages. run sealert -l 218ccca0-099c-426f-abcd-590317682d89
Collectdruns exec plugins by forking, settinguidandgidto a configured unprivileged account (in this case,"nobody") and thenexec-ing the plugin. Setting capabilities on the script is not relevant to this process, since the error occurs before an exec is done. It also would serve to increase the privileges on the script, when the point of changing theuid/gidis to drop privileges.
Environment
- Red Hat Enterprise Linux 7.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
