Bug 1857381
Summary: | munin is generating an avc denial when trying to access /usr/bin/munin-cron | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | stan <gryt2> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 31 | CC: | dwalsh, grepl.miroslav, gryt2, kyu.sperling, lvrabec, mmalik, plautrba, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.4-54.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-12 16:36:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
stan
2020-07-15 18:22:54 UTC
There are two AVCs. Here is the munin-cron version. Jul 15 11:15:12 localhost.localdomain python3[220417]: SELinux is preventing munin-cron from ioctl access on the file /usr/bin/munin-cron. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that munin-cron should be allowed ioctl access on the munin-cron file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'munin-cron' --raw | audit2allow -M my-munincron # semodule -X 300 -i my-munincron.pp Hi, Could you please attach the actual denials? To limit the audit records in last 10 minutes: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent Apart from the denials, is the software working properly or some services fail? I would, but I took the advice in the messages after I opened the bug, and I'm no longer seeing the denials. I'll try looking for them in older records. ---- type=AVC msg=audit(07/15/2020 10:55:01.417:2982) : avc: denied { ioctl } for pid=218162 comm=munin-cron path=/usr/bin/munin-cron dev="sda4" ino=6915965 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_exec_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(07/15/2020 10:55:01.418:2983) : avc: denied { nnp_transition } for pid=218172 comm=munin-cron scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:munin_t:s0 tclass=process2 permissive=0 ---- type=SELINUX_ERR msg=audit(07/15/2020 10:55:01.418:2984) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:munin_t:s0 ---- type=AVC msg=audit(07/15/2020 10:55:01.420:2985) : avc: denied { ioctl } for pid=218172 comm=munin-update path=/usr/share/munin/munin-update dev="sda4" ino=3147166 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_exec_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(07/15/2020 10:55:01.955:2997) : avc: denied { append } for pid=218172 comm=munin-update name=munin-update.log dev="sda4" ino=12863651 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file permissive=0 ---- As far is I know, everything is working properly. Hi, I can't see the nnp feature turned on by default in munin services, have you made any modifications? # systemctl cat munin munin-node No modifications. # systemctl cat munin munin-node # /usr/lib/systemd/system/munin.service [Unit] Description=Munin server to collect data from nodes Documentation=man:munin-cron(8) After=network.target network-online.target munin-node.service [Service] User=munin ExecStart=/usr/bin/munin-cron PrivateDevices=yes PrivateTmp=yes ProtectHome=yes ProtectSystem=full # /usr/lib/systemd/system/munin-node.service [Unit] Description=Munin Node Documentation=man:munin-node(1) http://guide.munin-monitoring.org/en/latest/node/index.html After=network.target network-online.target PartOf=munin-asyncd.service [Service] Type=notify ExecStart=/usr/sbin/munin-node --foreground PrivateDevices=no PrivateTmp=yes ProtectHome=read-only ProtectSystem=full TimeoutStopSec=30s [Install] WantedBy=multi-user.target I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/308 Thanks a lot! commit 74fe9dcdfe3e67ccf0661b4e3176569bf078bb4e (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Thu Jul 23 10:04:33 2020 +0200 Allow munin domain transition with NoNewPrivileges Resolves: rhbz#1857381 *** Bug 1866680 has been marked as a duplicate of this bug. *** FEDORA-2020-b2d6cffc6f has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b2d6cffc6f FEDORA-2020-b2d6cffc6f has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b2d6cffc6f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b2d6cffc6f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-b2d6cffc6f has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. |