Bug 473376

Summary: SELinux is preventing munin-cron (munin_t) "read" to inotify (inotifyfs_t).
Product: [Fedora] Fedora Reporter: Dennis Magee <nelswad90>
Component: muninAssignee: Kevin Fenzi <kevin>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: medium    
Version: 10CC: dwalsh, kevin, nelswad90
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-19 23:56:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dennis Magee 2008-11-28 06:20:49 UTC
Summary:

SELinux is preventing munin-cron (munin_t) "read" to inotify (inotifyfs_t).

Detailed Description:

SELinux denied access requested by munin-cron. It is not expected that this
access is required by munin-cron and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for inotify,

restorecon -v 'inotify'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:munin_t:s0-s0:c0.c1023
Target Context                system_u:object_r:inotifyfs_t:s0
Target Objects                inotify [ dir ]
Source                        munin-cron
Source Path                   /bin/bash
Port                          <Unknown>
Host                          DMMLAPTOP
Source RPM Packages           bash-3.2-29.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     DMMLAPTOP
Platform                      Linux DMMLAPTOP 2.6.27.5-117.fc10.x86_64 #1 SMP
                              Tue Nov 18 11:58:53 EST 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Thu 27 Nov 2008 11:05:01 PM MST
Last Seen                     Thu 27 Nov 2008 11:15:01 PM MST
Local ID                      41f1ab1a-24cb-4aa0-a503-7dbe1d615045
Line Numbers                  

Raw Audit Messages            

node=DMMLAPTOP type=AVC msg=audit(1227852901.975:324): avc:  denied  { read } for  pid=5477 comm="munin-cron" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

node=DMMLAPTOP type=SYSCALL msg=audit(1227852901.975:324): arch=c000003e syscall=59 success=yes exit=0 a0=226b3d0 a1=226e3c0 a2=226d190 a3=33f836da70 items=0 ppid=5475 pid=5477 auid=489 uid=489 gid=479 euid=489 suid=489 fsuid=489 egid=479 sgid=479 fsgid=479 tty=(none) ses=47 comm="munin-cron" exe="/bin/bash" subj=system_u:system_r:munin_t:s0-s0:c0.c1023 key=(null)

Comment 1 Kevin Fenzi 2008-12-01 16:15:50 UTC
Very odd. munin shouldn't use inotify at all in it's cron job. 

Can you add the output of: 

1. rpm -V munin

2. df -h

3. /var/log/munin/munin-update.log 

Thanks.

Comment 2 Dennis Magee 2008-12-02 01:32:34 UTC
$rpm -V minun
(nothing)

$df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
                      108G   18G   85G  18% /
/dev/sdb1             190M   24M  157M  14% /boot
tmpfs                 974M  516K  974M   1% /dev/shm
/dev/sda1             104G   51G   53G  50% /media/OS

minun-update.log (latest entry)
Dec 01 18:25:02 - Starting munin-update
Dec 01 18:25:02 [4017] - Processing domain: localhost
Dec 01 18:25:02 [4017] - Processing node: localhost
Dec 01 18:25:02 [4018] - Could not connect to localhost(127.0.0.1): Connection refused - Attempting to use old configuration
Dec 01 18:25:02 [4017] - Processed node: localhost (0.00 sec)
Dec 01 18:25:02 [4017] - Processed domain: localhost (0.00 sec)
Dec 01 18:25:02 [4017] - connection from localhost -> localhost (4018)
Dec 01 18:25:02 [4017] - connection from localhost -> localhost (4018) closed
Dec 01 18:25:02 [4017] - Munin-update finished (0.10 sec)

Hope it helps

Comment 3 Kevin Fenzi 2008-12-05 04:29:06 UTC
Do you have munin-node installed and configured? (port 4018 it looks like)? 

Adding dwalsh here to CC. 
Dan: I dont understand what this reject is saying? Where does inotifyfs come into play here?

Comment 4 Daniel Walsh 2008-12-05 13:42:23 UTC
Munin is listing the contents of the inotify directory  I wonder if some libraries are causing this.

I have added this to the policy in selinux-policy-3.5.13-30.fc10

Comment 5 Dennis Magee 2008-12-05 23:58:21 UTC
did not have munin-node installed but it is now. still getting selinux pop ups exactly every five minutes

Comment 6 Kevin Fenzi 2008-12-07 03:12:20 UTC
Dennis: Can you try upgrading to the selinux-policy-3.5.13-30.fc10 that was mentioned in comment #4? Either wait for it to be released as an update, or you can get it directly from the build system at: 
http://koji.fedoraproject.org/koji/buildinfo?buildID=73064

Comment 7 Daniel Walsh 2008-12-09 19:48:05 UTC
I released it today.

Comment 8 Dennis Magee 2008-12-16 23:33:11 UTC
I updated selinux and I am still experiencing the same problem

Comment 9 Daniel Walsh 2008-12-17 15:44:29 UTC
rpm -q selinux-policy-targeted

Comment 10 Dennis Magee 2008-12-17 23:58:57 UTC
rpm -q selinux-policy-targeted shows:

selinux-policy-targeted-3.5.13-30.fc10.noarch

Comment 11 Daniel Walsh 2008-12-18 14:54:34 UTC
Please update to selinux-policy-3.5.13-34.fc10

yum update selinux-policy-targeted

Comment 12 Dennis Magee 2008-12-19 23:56:24 UTC
Ok the problem seems to have gone away. Thanks alot guys