Bug 438825

Description of problem:


Version-Release number of selected component (if applicable):
munin-node-1.2.5-4.fc8

How reproducible:
I would expect it to be easy to reproduce until the right SELinux policy
adjustments are made.

Steps to Reproduce:
1.  Install F8 w/ updates in SELinux enforcing mode (the default).
2.  Install munin-node: yum install munin munin-node
3.  Attempt to start munin node:  /sbin/service munin-node start
4.  Check status:  /sbin/service munin-node status

Actual results:

# /sbin/service munin-node status
munin-node dead but subsys locked

Message log contains:  setroubleshoot: SELinux is preventing munin-node
(munin_t) "name_bind" to <Unknown> (munin_port_t). For complete SELinux
messages. run sealert -l a19998d2-e5fc-4aef-89ed-cd75f30b672b


Expected results:

That munin-node would be running.


Additional info:

Running the suggested sealert command yields:

[root@beryllium ~]# sealert -l a19998d2-e5fc-4aef-89ed-cd75f30b672b

Summary:

SELinux is preventing munin-node (munin_t) "name_bind" to <Unknown>
(munin_port_t).

Detailed Description:

SELinux denied access requested by munin-node. It is not expected that this
access is required by munin-node and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:munin_t:s0
Target Context                system_u:object_r:munin_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        munin-node
Source Path                   /usr/bin/perl
Port                          4949
Host                          beryllium.hq.REDACTED.com
Source RPM Packages           perl-5.8.8-36.fc8
Target RPM Packages
Policy RPM                    selinux-policy-3.0.8-93.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     beryllium.hq.REDACTED.com
Platform                      Linux beryllium.hq.REDACTED.com 2.6.24.3-34.fc8
                              #1 SMP Wed Mar 12 16:51:49 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Mar 25 09:59:36 2008
Last Seen                     Tue Mar 25 09:59:36 2008
Local ID                      a19998d2-e5fc-4aef-89ed-cd75f30b672b
Line Numbers

Raw Audit Messages

host=beryllium.hq.REDACTED.com type=AVC msg=audit(1206453576.530:1061): avc: 
denied  { name_bind } for  pid=28616 comm="munin-node" src=4949
scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:munin_port_t:s0
tclass=tcp_socket

host=beryllium.hq.REDACTED.com type=SYSCALL msg=audit(1206453576.530:1061):
arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=b51800 a2=10 a3=3e2b1529f0
items=0 ppid=1 pid=28616 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="munin-node" exe="/usr/bin/perl"
subj=system_u:system_r:munin_t:s0 key=(null)