Bug 748190
Summary: | Missing SELinux rules block use of munins plugin selinux_avcstat | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Gabriele Pohl <contact> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 6.1 | CC: | drjohnson1, dwalsh, ebenes, ingvar, kevin, ksrot, mmalik | |
Target Milestone: | rc | |||
Target Release: | 6.3 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.7.19-1365.el6 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 748737 (view as bug list) | Environment: | ||
Last Closed: | 2012-06-20 12:28:09 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 748737 |
Description
Gabriele Pohl
2011-10-22 21:47:23 UTC
This would need to be changed in the RHEL6 selinux policy. Moving it over there for comment. First I wouldn't use telnet for this. Also this is definitely something what we don't want to allow for munin. If we want to allow it, it means we should add probably a new munin plugin domain. You can test this policy # cat mymunin.te munin_plugin_template(admin) permissive admin_munin_plugin_t; selinux_get_enforce_mode(admin_munin_plugin_t) and run # make -f /usr/share/selinux/devel/Makefile # semodule -i mymunin.pp # chcon -t admin_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat I might call this selinux rather then admin. munin_plugin_template(selinux) permissive selinux_munin_plugin_t; selinux_get_enforce_mode(admin_selinux_plugin_t) # make -f /usr/share/selinux/devel/Makefile # semodule -i mymunin.pp # chcon -t selinux_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat And if selinux_avcstat is part of the standard munin, I have no problem adding it. (In reply to comment #4) > I might call this selinux rather then admin. > > munin_plugin_template(selinux) > permissive selinux_munin_plugin_t; > selinux_get_enforce_mode(admin_selinux_plugin_t) > > > # make -f /usr/share/selinux/devel/Makefile > # semodule -i mymunin.pp > # chcon -t selinux_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat > > > And if selinux_avcstat is part of the standard munin, I have no problem adding > it. Yes, it is. (In reply to comment #3) > First I wouldn't use telnet for this. What will you use instead to debug the missing values in munin graphs? Using telnet is the recommended method described in Munins documentation wiki. Please add a recipe of your better way also there: http://munin-monitoring.org/wiki/Debugging_Munin_plugins Oops, I missed this is on your localhost. I thought the munin logs own events. fixed in selinux-policy-3.7.19-136.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |