Bug 1076352
| Summary: | SELinux is preventing /usr/bin/perl from using the net_admin capability. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Juan Orti Alcaine <jorti> | ||||
| Component: | munin | Assignee: | d. johnson <drjohnson1> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 21 | CC: | dominick.grift, drjohnson1, dwalsh, hobbes1069, ingvar, jorti, jvanek, lvrabec, mgrepl | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-03-16 23:07:18 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
How did it happen? Do you know which plugin was used? I installed these packages and started munin-node.service: munin-node-2.0.19-1.fc20.noarch munin-common-2.0.19-1.fc20.noarch munin-2.0.19-1.fc20.noarch I got that avc from the stock config, I didn't change anything. As I'm beginning to learn how munin works, I can't help you much on what it was doing. Now I'm graphing some other servers and I'm getting tons of avc's, the munin policy seems rather broken :( This indicates that munin code was trying to manipulate the network stack. (In reply to Daniel Walsh from comment #3) > This indicates that munin code was trying to manipulate the network stack. Yes, it seems something it must not do. If you look in /etc/munin/plugins you can see which plugins are active. Created attachment 875513 [details]
ls -la /etc/munin/plugins/
I haven't touch anything of this
Most of those are the same as what I have, but I do not get the AVC's you have. Want to look for the ones that dont match and see if they are the cause of your AVCs? lrwxrwxrwx. 1 root root 28 Dec 31 19:50 cpu -> /usr/share/munin/plugins/cpu lrwxrwxrwx. 1 root root 27 Dec 31 19:50 df -> /usr/share/munin/plugins/df lrwxrwxrwx. 1 root root 33 Dec 31 19:50 df_inode -> /usr/share/munin/plugins/df_inode lrwxrwxrwx. 1 root root 34 Dec 31 19:50 diskstats -> /usr/share/munin/plugins/diskstats lrwxrwxrwx. 1 root root 32 Dec 31 19:50 entropy -> /usr/share/munin/plugins/entropy lrwxrwxrwx. 1 root root 30 Dec 31 19:50 forks -> /usr/share/munin/plugins/forks lrwxrwxrwx. 1 root root 35 Dec 31 19:50 fw_packets -> /usr/share/munin/plugins/fw_packets lrwxrwxrwx. 1 root root 28 Dec 31 19:50 if_br0 -> /usr/share/munin/plugins/if_ lrwxrwxrwx. 1 root root 28 Dec 31 19:50 if_eno16777728 -> /usr/share/munin/plugins/if_ lrwxrwxrwx. 1 root root 32 Dec 31 19:50 if_err_br0 -> /usr/share/munin/plugins/if_err_ lrwxrwxrwx. 1 root root 32 Dec 31 19:50 if_err_eno16777728 -> /usr/share/munin/plugins/if_err_ lrwxrwxrwx. 1 root root 35 Dec 31 19:50 interrupts -> /usr/share/munin/plugins/interrupts lrwxrwxrwx. 1 root root 33 Dec 31 19:50 irqstats -> /usr/share/munin/plugins/irqstats lrwxrwxrwx. 1 root root 29 Dec 31 19:50 load -> /usr/share/munin/plugins/load lrwxrwxrwx. 1 root root 31 Dec 31 19:50 memory -> /usr/share/munin/plugins/memory lrwxrwxrwx. 1 root root 32 Dec 31 19:50 netstat -> /usr/share/munin/plugins/netstat lrwxrwxrwx. 1 root root 29 Dec 31 19:50 nfsd -> /usr/share/munin/plugins/nfsd lrwxrwxrwx. 1 root root 30 Dec 31 19:50 nfsd4 -> /usr/share/munin/plugins/nfsd4 lrwxrwxrwx. 1 root root 35 Dec 31 19:50 open_files -> /usr/share/munin/plugins/open_files lrwxrwxrwx. 1 root root 36 Dec 31 19:50 open_inodes -> /usr/share/munin/plugins/open_inodes lrwxrwxrwx. 1 root root 34 Dec 31 19:50 processes -> /usr/share/munin/plugins/processes lrwxrwxrwx. 1 root root 33 Dec 31 19:50 proc_pri -> /usr/share/munin/plugins/proc_pri lrwxrwxrwx. 1 root root 29 Dec 31 19:50 swap -> /usr/share/munin/plugins/swap lrwxrwxrwx. 1 root root 32 Dec 31 19:50 threads -> /usr/share/munin/plugins/threads lrwxrwxrwx. 1 root root 31 Dec 31 19:50 uptime -> /usr/share/munin/plugins/uptime lrwxrwxrwx. 1 root root 30 Dec 31 19:50 users -> /usr/share/munin/plugins/users lrwxrwxrwx. 1 root root 31 Dec 31 19:50 vmstat -> /usr/share/munin/plugins/vmstat This is what I did in one of my nodes. I have triggered a SELinux relabel and reinstalled munin-node, but the net_admin errors continue appearing.
1. yum remove -y munin\*
2. rm -rf /etc/munin
3. yum update -y
4. touch /.autorelabel
5. reboot
6. yum install -y munin-node
7. I added a line in /etc/munin/munin-node.conf to allow my server:
allow ^192\.168\.1\.1$
8. systemctl start munin-node
9. journalctl -a -b -u munin-node
mar 26 12:53:34 foo.example.com systemd[1]: Starting Munin Node Server....
mar 26 12:53:34 foo.example.com systemd[1]: Started Munin Node Server..
mar 26 12:53:38 foo.example.com python[2593]: SELinux is preventing /usr/bin/perl from using the net_admin capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that perl should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep munin-node /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
mar 26 12:53:38 foo.example.com python[2593]: SELinux is preventing /usr/bin/perl from using the net_admin capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that perl should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep munin-node /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
mar 26 12:53:38 foo.example.com python[2593]: SELinux is preventing /usr/bin/perl from using the net_admin capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that perl should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep munin-node /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
mar 26 12:53:38 foo.example.com python[2593]: SELinux is preventing /usr/bin/perl from using the net_admin capability.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that perl should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep munin-node /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
We need to know which plugin is causing this. As above, the plugins I have listed above do not require net_admin. For the record: "fixfiles -R munin,munin-common,munin-node restore" will restore labels for just those packages. I've deleted all the symbolic links in /etc/munin/plugins, restarted the service and the problem persists. Did you install perl modules outside of what fedora provided ? or install munin from source ? I am unable to reproduce the issue you are describing on clean / updated f20 systems, so I am very curious what makes your system different. I've tried it in other two different systems and I also can't reproduce it. So it must be some oddity in that system, I'll investigate it further. You can close the bug, thank you. I'm having this problem on Fedora 21 x86_64... Richard- Please provide the versions and additional information to review. $ rpm -qa | grep munin munin-node-2.0.25-1.fc21.noarch munin-common-2.0.25-1.fc21.noarch munin-2.0.25-1.fc21.noarch Richard- Perhaps it would be best if you would open a new bug report with your actual details in it. So far, you have not provided enough to investigate. |
SELinux is preventing /usr/bin/perl from using the net_admin capability. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that perl should have the net_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep munin-node /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:munin_t:s0 Target Context system_u:system_r:munin_t:s0 Target Objects [ capability ] Source munin-node Source Path /usr/bin/perl Port <Unknown> Host <removed> Source RPM Packages perl-5.18.2-289.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-127.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <removed> Platform Linux <removed> 3.13.6-200.fc20.x86_64 #1 SMP Fri Mar 7 17:02:28 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-03-13 21:58:42 CET Last Seen 2014-03-13 21:58:42 CET Local ID 2e912f32-6dd0-44ed-9d2e-bfcd22427956 Raw Audit Messages type=AVC msg=audit(1394744322.336:219751): avc: denied { net_admin } for pid=823 comm="munin-node" capability=12 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:munin_t:s0 tclass=capability type=SYSCALL msg=audit(1394744322.336:219751): arch=x86_64 syscall=stat success=yes exit=0 a0=207ac70 a1=1eac280 a2=1eac280 a3=0 items=0 ppid=1 pid=823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=munin-node exe=/usr/bin/perl subj=system_u:system_r:munin_t:s0 key=(null) Hash: munin-node,munin_t,munin_t,capability,net_admin