Bug 1857381

Summary: munin is generating an avc denial when trying to access /usr/bin/munin-cron
Product: [Fedora] Fedora Reporter: stan <gryt2>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 31CC: dwalsh, grepl.miroslav, gryt2, kyu.sperling, lvrabec, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.4-54.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-12 16:36:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description stan 2020-07-15 18:22:54 UTC 
Description of problem:
Selinux is generating AVCs every few minutes when munin tries to run munin-cron


Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-53.fc31.noarch


How reproducible:
Every time

Steps to Reproduce:
1. Update package from repositories
2.
3.

Actual results:
Jul 15 11:15:17 localhost.localdomain python3[220417]: SELinux is preventing munin-update from append access on the file /var/log/munin/munin-update.log.
                                                       
                                                       *****  Plugin catchall (100. confidence) suggests   **************************
                                                       
                                                       If you believe that munin-update should be allowed append access on the munin-update.log file by default.
                                                       Then you should report this as a bug.
                                                       You can generate a local policy module to allow this access.
                                                       Do
                                                       allow this access for now by executing:
                                                       # ausearch -c 'munin-update' --raw | audit2allow -M my-muninupdate
                                                       # semodule -X 300 -i my-muninupdate.pp

Expected results:
No AVC denials

Additional info:

Started immediately after update to latest version of munin from 2.0.54-1.fc31.noarch to 2.0.63-1.fc31.noarch.
Comment 1 stan 2020-07-15 18:24:41 UTC 
There are two AVCs.  Here is the munin-cron version.

Jul 15 11:15:12 localhost.localdomain python3[220417]: SELinux is preventing munin-cron from ioctl access on the file /usr/bin/munin-cron.
                                                       
                                                       *****  Plugin catchall (100. confidence) suggests   **************************
                                                       
                                                       If you believe that munin-cron should be allowed ioctl access on the munin-cron file by default.
                                                       Then you should report this as a bug.
                                                       You can generate a local policy module to allow this access.
                                                       Do
                                                       allow this access for now by executing:
                                                       # ausearch -c 'munin-cron' --raw | audit2allow -M my-munincron
                                                       # semodule -X 300 -i my-munincron.pp
Comment 2 Zdenek Pytela 2020-07-21 15:43:45 UTC 
Hi,

Could you please attach the actual denials? To limit the audit records in last 10 minutes:

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

Apart from the denials, is the software working properly or some services fail?
Comment 3 stan 2020-07-21 16:43:01 UTC 
I would, but I took the advice in the messages after I opened the bug, and I'm no longer seeing the denials.  I'll try looking for them in older records.

----
type=AVC msg=audit(07/15/2020 10:55:01.417:2982) : avc:  denied  { ioctl } for  pid=218162 comm=munin-cron path=/usr/bin/munin-cron dev="sda4" ino=6915965 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_exec_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(07/15/2020 10:55:01.418:2983) : avc:  denied  { nnp_transition } for  pid=218172 comm=munin-cron scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:munin_t:s0 tclass=process2 permissive=0 
----
type=SELINUX_ERR msg=audit(07/15/2020 10:55:01.418:2984) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:munin_t:s0 
----
type=AVC msg=audit(07/15/2020 10:55:01.420:2985) : avc:  denied  { ioctl } for  pid=218172 comm=munin-update path=/usr/share/munin/munin-update dev="sda4" ino=3147166 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_exec_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(07/15/2020 10:55:01.955:2997) : avc:  denied  { append } for  pid=218172 comm=munin-update name=munin-update.log dev="sda4" ino=12863651 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file permissive=0 
----

As far is I know, everything is working properly.
Comment 4 Zdenek Pytela 2020-07-22 13:34:07 UTC 
Hi,

I can't see the nnp feature turned on by default in munin services, have you made any modifications?

  # systemctl cat munin munin-node
Comment 5 stan 2020-07-22 14:12:30 UTC 
No modifications.

# systemctl cat munin munin-node
# /usr/lib/systemd/system/munin.service
[Unit]
Description=Munin server to collect data from nodes
Documentation=man:munin-cron(8)
After=network.target network-online.target munin-node.service

[Service]
User=munin
ExecStart=/usr/bin/munin-cron
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full

# /usr/lib/systemd/system/munin-node.service
[Unit]
Description=Munin Node
Documentation=man:munin-node(1) http://guide.munin-monitoring.org/en/latest/node/index.html
After=network.target network-online.target
PartOf=munin-asyncd.service

[Service]
Type=notify
ExecStart=/usr/sbin/munin-node --foreground
PrivateDevices=no
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=full
TimeoutStopSec=30s

[Install]
WantedBy=multi-user.target
Comment 6 Zdenek Pytela 2020-07-23 08:06:38 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/308
Comment 7 stan 2020-07-23 16:06:58 UTC 
Thanks a lot!
Comment 8 Lukas Vrabec 2020-07-26 15:00:20 UTC 
commit 74fe9dcdfe3e67ccf0661b4e3176569bf078bb4e (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Thu Jul 23 10:04:33 2020 +0200

    Allow munin domain transition with NoNewPrivileges
    
    Resolves: rhbz#1857381
Comment 9 Zdenek Pytela 2020-08-06 07:02:32 UTC 
*** Bug 1866680 has been marked as a duplicate of this bug. ***
Comment 10 Fedora Update System 2020-08-27 21:52:21 UTC 
FEDORA-2020-b2d6cffc6f has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b2d6cffc6f
Comment 11 Fedora Update System 2020-08-28 15:38:09 UTC 
FEDORA-2020-b2d6cffc6f has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b2d6cffc6f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b2d6cffc6f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Fedora Update System 2020-09-12 16:36:59 UTC 
FEDORA-2020-b2d6cffc6f has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.