Why does SELinux prevent /usr/sbin/collectd from using the setgid capability?

Solution Verified - Updated -

Issue

  • SELinux is preventing /usr/sbin/collectd from using the setgid capability.
  • Have a simple collectd "exec" plugin that greps MemAvailable out of /proc/meminfo.
  • On Red Hat Enterprise Linux 7.2 with selinux in Enforcing mode, the plugin doesn't produce data, and this message is logged repeatedly in syslog:
collectd[12918]: exec plugin: setgid (99) failed: Operation not permitted
setroubleshoot: SELinux is preventing /usr/sbin/collectd from using the setgid capability. For complete SELinux messages. run sealert -l 218ccca0-099c-426f-abcd-590317682d89
  • Collectd runs exec plugins by forking, setting uid and gid to a configured unprivileged account (in this case, "nobody") and then exec-ing the plugin. Setting capabilities on the script is not relevant to this process, since the error occurs before an exec is done. It also would serve to increase the privileges on the script, when the point of changing the uid/gid is to drop privileges.

Environment

  • Red Hat Enterprise Linux 7.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.