Bug 652936
| Summary: | Munin plugins unable to save state | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mike Tillberg <mike.tillberg> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 14 | CC: | dwalsh, ingvar, kevin, mgrepl | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.9.7-12.fc14 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 799266 (view as bug list) | Environment: | ||
| Last Closed: | 2010-11-21 21:59:51 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 799266 | |||
Moving over to selinux policy for comment from them. You can allow it for now using # grep disk_munin_plugin_t /var/log/audit/audit.log | audit2allow -M mypol # semodule i mypol.pp Fixed in selinux-policy-3.9.7-13.fc14 Thanks for looking at this. I can confirm that adding the var_lib rule fixes the issue. selinux-policy-3.9.7-12.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14 selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14 Removed the temporary policy, confirmed that the error returned. Installed the updated selinux policy and confirmed the new policy fixes the issue. selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Various munin plugins (diskstats, smart_) are unable to save state files in /var/lib/munin/plugin-state/. This appears to be a SELinux issue. Version-Release number of selected component (if applicable): munin-node 1.4.5-4.fc14 selinux-policy 3.9.7-10.fc14 How reproducible: Always Steps to Reproduce: 1. Fresh F14 install w/ latest munin-node and selinux 2. ln -s /usr/share/munin/plugins/diskstats /etc/munin/plugins 3. service start munin-node 4. echo "fetch diskstats" | nc localhost 4949 Actual results: # munin node at localhost.localdomain # Bad exit . in /var/log/munin/munin.log: 2010/11/13-10:59:17 [10753] Error output from diskstats: 2010/11/13-10:59:17 [10753] diskstats: Could not open statefile '/var/lib/munin/plugin-state/diskstats-127.0.0.1' for writing: Permission denied 2010/11/13-10:59:17 [10753] Service 'diskstats' exited with status 13/0. Expected results: Additional info: This appears to be an issue with SELinux denying search access to /var/lib. There are no messages generated in the audit.log by default. Disabling SELinux (setenforce 0) allows the plugins to work, also switching the plugins to save state in /tmp will allow them to work as well. Enabling full AVC error logging (semodule -DB) finally showed the following: type=AVC msg=audit(1289588177.500:30525): avc: denied { search } for pid=19764 comm="diskstats" name="lib" dev=dm-0 ino=1835010 scontext=unconfined_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1289588177.500:30525): arch=c000003e syscall=2 success=no exit=-13 a0=1181930 a1=241 a2=1b6 a3=7fd5943ff3e0 items=0 ppid=19763 pid=19764 auid=500 uid=489 gid=484 euid=489 suid=489 fsuid=489 egid=484 sgid=484 fsgid=484 tty=(none) ses=1 comm="diskstats" exe="/usr/bin/perl" subj=unconfined_u:system_r:disk_munin_plugin_t:s0 key=(null)