Bug 1528471

Summary: SELinux prevents munin updating its data files ('map' access in /var/lib/munin/)
Product: [Fedora] Fedora Reporter: Gustavo Maciel Dias Vieira <gustavo>
Component: selinux-policyAssignee: Colin Walters <walters>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore, walters
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.21.fc27 selinux-policy-3.13.1-283.24.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-06 15:31:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gustavo Maciel Dias Vieira 2017-12-21 23:49:46 UTC 
Description of problem:
When I run munin it can't update its data files in /var/lib/munin due to a SELinux AVC ('map' access). When I run in permissive mode munin works, but many other AVCs related to the plugins appear. It's hard for me to tell them apart, so I'm reporting them all together.


Version-Release number of selected component (if applicable):
munin-2.0.33-5.fc27.noarch
selinux-policy-3.13.1-283.17.fc27.noarch

How reproducible:
Deterministic


Steps to Reproduce:
1. Setup munin and munin-node. There is nothing special in my setup, except that I change the default plugin list a bit.


The AVCs:
type=AVC msg=audit(1513420202.281:2246): avc:  denied  { read } for  pid=17710 comm="uptime" name="passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:system_munin
_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420202.282:2247): avc:  denied  { open } for  pid=17710 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:syste
m_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420202.282:2248): avc:  denied  { getattr } for  pid=17710 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:sy
stem_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420202.282:2249): avc:  denied  { map } for  pid=17710 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system
_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420202.379:2250): avc:  denied  { map } for  pid=17708 comm="/usr/share/muni" path="/var/lib/munin/horatio/horatio-uptime-uptime-g.rrd" dev="sdb1"
 ino=394595 scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420203.154:2251): avc:  denied  { write } for  pid=17760 comm="who" name="nss" dev="sda2" ino=8601786 scontext=system_u:system_r:system_munin_plug
in_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1513420203.155:2252): avc:  denied  { connectto } for  pid=17760 comm="who" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1513420203.533:2253): avc:  denied  { map } for  pid=17708 comm="/usr/share/muni" path="/var/lib/munin/horatio/horatio-diskstats_throughput-sda-rdbytes-g.rrd" dev="sdb1" ino=404148 scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420203.867:2254): avc:  denied  { read } for  pid=17825 comm="postfix_mailque" name="passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420203.868:2255): avc:  denied  { open } for  pid=17825 comm="postfix_mailque" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420203.868:2256): avc:  denied  { getattr } for  pid=17825 comm="postfix_mailque" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420203.868:2257): avc:  denied  { map } for  pid=17825 comm="postfix_mailque" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420203.868:2258): avc:  denied  { write } for  pid=17825 comm="postfix_mailque" name="nss" dev="sda2" ino=8601786 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1513420203.868:2259): avc:  denied  { connectto } for  pid=17825 comm="postfix_mailque" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1513420203.876:2260): avc:  denied  { read } for  pid=17827 comm="postconf" name="unix" dev="proc" ino=4026532057 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420203.876:2261): avc:  denied  { create } for  pid=17827 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1513420204.078:2263): avc:  denied  { read } for  pid=17882 comm="sh" name="passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420204.078:2264): avc:  denied  { open } for  pid=17882 comm="sh" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420204.078:2265): avc:  denied  { getattr } for  pid=17882 comm="sh" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420204.078:2266): avc:  denied  { map } for  pid=17882 comm="sh" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420205.475:2267): avc:  denied  { read } for  pid=17925 comm="selinux_avcstat" name="passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:selinux_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420205.476:2268): avc:  denied  { open } for  pid=17925 comm="selinux_avcstat" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:selinux_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420205.476:2269): avc:  denied  { getattr } for  pid=17925 comm="selinux_avcstat" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:selinux_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513420205.476:2270): avc:  denied  { map } for  pid=17925 comm="selinux_avcstat" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:selinux_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513451103.657:4166): avc:  denied  { ioctl } for  pid=20456 comm="postconf" path="socket:[147621]" dev="sockfs" ino=147621 ioctlcmd=0x8910 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1513451103.737:4167): avc:  denied  { ioctl } for  pid=20484 comm="postconf" path="socket:[147662]" dev="sockfs" ino=147662 ioctlcmd=0x8910 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=0


Running audit2allow gives:

#============= disk_munin_plugin_t ==============
allow disk_munin_plugin_t sssd_public_t:file { getattr map open read };

#============= mail_munin_plugin_t ==============
allow mail_munin_plugin_t proc_net_t:file read;
allow mail_munin_plugin_t self:unix_dgram_socket { create ioctl };
allow mail_munin_plugin_t sssd_public_t:file { getattr map open read };
allow mail_munin_plugin_t sssd_t:unix_stream_socket connectto;
allow mail_munin_plugin_t sssd_var_lib_t:sock_file write;

#============= munin_t ==============
allow munin_t munin_var_lib_t:file map;

#============= selinux_munin_plugin_t ==============
allow selinux_munin_plugin_t sssd_public_t:file { getattr map open read };

#============= system_munin_plugin_t ==============
allow system_munin_plugin_t sssd_t:unix_stream_socket connectto;
Comment 1 Fedora Update System 2018-01-05 14:47:13 UTC 
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 2 Fedora Update System 2018-01-05 14:49:42 UTC 
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 3 Fedora Update System 2018-01-06 21:09:12 UTC 
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Comment 4 Fedora Update System 2018-01-10 02:07:30 UTC 
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Gustavo Maciel Dias Vieira 2018-01-15 20:45:11 UTC 
Thanks Lukas, but I tested this update and the solution is partial. Munin seems to run, but I still get some AVCs:

type=AVC msg=audit(1516048502.096:316): avc:  denied  { read } for  pid=2763 comm="uptime" name="passwd" dev="sda2" ino=4586871 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516048502.103:317): avc:  denied  { open } for  pid=2763 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4586871 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516048502.104:318): avc:  denied  { getattr } for  pid=2763 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4586871 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516048502.104:319): avc:  denied  { map } for  pid=2763 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4586871 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516048505.042:320): avc:  denied  { write } for  pid=2967 comm="who" name="nss" dev="sda2" ino=8601786 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1516048505.043:321): avc:  denied  { connectto } for  pid=2967 comm="who" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1516048505.453:322): avc:  denied  { create } for  pid=2992 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1516048505.454:323): avc:  denied  { ioctl } for  pid=2992 comm="postconf" path="socket:[32879]" dev="sockfs" ino=32879 ioctlcmd=0x8910 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=1

Running audit2allow gives:

#============= mail_munin_plugin_t ==============
allow mail_munin_plugin_t self:unix_dgram_socket { create ioctl };

#============= system_munin_plugin_t ==============
allow system_munin_plugin_t sssd_public_t:file { getattr map open read };
allow system_munin_plugin_t sssd_t:unix_stream_socket connectto;
allow system_munin_plugin_t sssd_var_lib_t:sock_file write;
Comment 6 Fedora Update System 2018-01-30 16:41:14 UTC 
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
Comment 7 Fedora Update System 2018-01-31 22:44:56 UTC 
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
Comment 8 Fedora Update System 2018-02-06 15:31:29 UTC 
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.