Bug 582450

Summary: munin_t: Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).
Product: [Fedora] Fedora Reporter: d. johnson <drjohnson1>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: art-rh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.32-113.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-03 16:10:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description d. johnson 2010-04-15 02:08:18 UTC
Description of problem:

Example audit2why entry:

type=AVC msg=audit(1271188810.713:38): avc:  denied  { ioctl } for  pid=3774 comm="grep" path="/proc/1542/status" dev=proc ino=21563 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy the constraint.

		Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).

type=AVC msg=audit(1271188810.719:39): avc:  denied  { ioctl } for  pid=3774 comm="grep" path="/proc/1564/status" dev=proc ino=21569 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy the constraint.

		Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).

type=AVC msg=audit(1271188810.719:40): avc:  denied  { ioctl } for  pid=3774 comm="grep" path="/proc/1599/status" dev=proc ino=21575 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tclass=file

	Was caused by:
		Policy constraint violation.

		May require adding a type attribute to the domain or type to satisfy the constraint.

		Constraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).



Version-Release number of selected component (if applicable):

munin-1.4.4-1.fc12 + selinux-policy-targeted-3.6.32-110.fc12

How reproducible:

100%

Steps to Reproduce:
1. install munin-node.
2. wait 5mins for polling cycle.
3. ausearch -m avc -ts recent | audit2why
  
Actual results:

I have 13044 AVCs in the span of a few hours if you need more samples than the above.

Expected results:

AVCs should not be generated.

Additional info:

All AVCs went away by adding this module:

# cat mymunin2.te 
policy_module(mymunin2, 1.0.0)
gen_require(`
type munin_t, munin_exec_t;
')
init_ranged_daemon_domain(munin_t, munin_exec_t, s0 - mcs_systemhigh)

Comment 1 Daniel Walsh 2010-04-15 14:06:47 UTC
Miroslav, grab the mcs definition from F13.

Comment 2 Miroslav Grepl 2010-04-22 16:08:52 UTC
Fixed in selinux-policy-3.6.32-113.fc12

Comment 3 Fedora Update System 2010-04-23 12:45:36 UTC
selinux-policy-3.6.32-113.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12

Comment 4 Fedora Update System 2010-04-27 02:24:10 UTC
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-113.fc12

Comment 5 Fedora Update System 2010-05-03 16:08:13 UTC
selinux-policy-3.6.32-113.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.