Bug 1636926

Summary: SELinux blocks tmp watch in Munin cron
Product: Red Hat Enterprise Linux 7 Reporter: Jason Woods <devel>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.5CC: b, drjohnson1, ingvar, jvanek, lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-27 15:23:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Woods 2018-10-08 09:56:35 UTC 
Description of problem:
audit.log contains:
type=AVC msg=audit(1538976301.501:25547): avc:  denied  { rmdir } for  pid=5609 comm="tmpwatch" name="spool" dev="xvda1" ino=4264057 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mu
nin_var_lib_t:s0 tclass=dir
Cron sends emails such as:
error: failed to rmdir /var/lib/munin/cgi-tmp/munin-cgi-graph/xxx/xxx/diskstats_latency: Permission denied

Version-Release number of selected component (if applicable):
munin-2.0.40-2.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install munin and collect some data from localhost
2. Enable SELinux in enforcing mode
3. Wait overnight and check audit.log and cron email notifications

Actual results:
Failed to rmdir

Expected results:
Silence and tmpwatch successful

Additional info:
Comment 1 Jason Woods 2018-10-08 09:57:10 UTC 
This is Munin cron, showing the tmpwatch it uses to clean old files. SELinux blocks the tmpwatch.

# Collect Munin data every five minutes, clean up once a day

MAILTO=root

*/5 * * * *  munin  /usr/bin/munin-cron
21  5 * * *  root   /usr/sbin/tmpwatch --ctime 24h /var/lib/munin/cgi-tmp
25  5 * * *  root   /usr/sbin/tmpwatch --ctime 30d /var/lib/munin --exclude /var/lib/munin/.ssh --exclude /var/lib/munin/cgi-tmp --exclude /var/lib/munin/plugin-state --exclude /var/lib/munin/rrdcached
Comment 2 Kim B. Heino 2018-10-10 15:56:59 UTC 
Fix for this should be included in bug #1164245, see attachment "Munin patch for rhel 7.5 tmpreaper policy".
Comment 4 Zdenek Pytela 2019-02-27 15:23:45 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.