Bug 748190

Summary: Missing SELinux rules block use of munins plugin selinux_avcstat
Product: Red Hat Enterprise Linux 6 Reporter: Gabriele Pohl <contact>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: drjohnson1, dwalsh, ebenes, ingvar, kevin, ksrot, mmalik
Target Milestone: rc   
Target Release: 6.3   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-1365.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 748737 (view as bug list) Environment:
Last Closed: 2012-06-20 12:28:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 748737    

Description Gabriele Pohl 2011-10-22 21:47:23 UTC 
Description of problem:

Get "Unknown" values from plugin selinux_avcstat when fetching the values from munin-node via telnet.

Version-Release number of selected component (if applicable):

Name        : munin-node                   Relocations: (not relocatable)
Version     : 1.4.6                             Vendor: Fedora Project
Release     : 4.el6.2                       Build Date: Mon 12 Sep 2011 10:28:21 PM CEST

How reproducible:

Steps to Reproduce:

1. Install munin-node. 
   Autoconfiguration finds and can read the file /selinux/avc/cache_stats
   and therefore activates the plugin on the node.

2. See, that you get only "Unknown" values

----- 8< -----
# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value U
hits.value U
misses.value U
allocations.value U
reclaims.value U
frees.value U
.
----- >8 -----


Actual results:

No values in graph.

Expected results:

I got reasonable values from a plugin, 
when I run it via "munin-run" on the node:

----- 8< -----
# munin-run selinux_avcstat 
lookups.value 25863367
hits.value 25837715
misses.value 25652
allocations.value 25657
reclaims.value 24624
frees.value 25156
----- >8 -----

After installing the following rule 
(see recipe of author arth in older Bugreport 
https://bugzilla.redhat.com/show_bug.cgi?id=581270)

--- cut here ---
module muninlocal 0.0.1;

require {
        type munin_t;
        type security_t;
        class file { getattr read open };
}

allow munin_t security_t:file { getattr read open };
--- cut here ---

Save as muninlocal.te

Compile and install with:

checkmodule -M -m -o muninlocal.mod muninlocal.te
semodule_package -o muninlocal.pp -m muninlocal.mod
semodule -i muninlocal.pp

the problem is solved

# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value 33223592
hits.value 33194702
misses.value 28890
allocations.value 28900
reclaims.value 27856
frees.value 28392
.

Please add the additional rules to munin.pp
Comment 1 Kevin Fenzi 2011-10-25 01:33:44 UTC 
This would need to be changed in the RHEL6 selinux policy. 

Moving it over there for comment.
Comment 3 Miroslav Grepl 2011-10-25 08:27:52 UTC 
First I wouldn't use telnet for this. Also this is definitely something what we don't want to allow for munin.

If we want to allow it, it means we should add probably a new munin plugin domain.

You can test this policy

# cat mymunin.te

munin_plugin_template(admin)
permissive admin_munin_plugin_t;
selinux_get_enforce_mode(admin_munin_plugin_t)



and run

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mymunin.pp
# chcon -t admin_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat
Comment 4 Daniel Walsh 2011-10-25 12:54:04 UTC 
I might call this selinux rather then admin.

munin_plugin_template(selinux)
permissive selinux_munin_plugin_t;
selinux_get_enforce_mode(admin_selinux_plugin_t)


# make -f /usr/share/selinux/devel/Makefile
# semodule -i mymunin.pp
# chcon -t selinux_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat


And if selinux_avcstat is part of the standard munin, I have no problem adding it.
Comment 5 Miroslav Grepl 2011-10-25 12:58:11 UTC 
(In reply to comment #4)
> I might call this selinux rather then admin.
> 
> munin_plugin_template(selinux)
> permissive selinux_munin_plugin_t;
> selinux_get_enforce_mode(admin_selinux_plugin_t)
> 
> 
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i mymunin.pp
> # chcon -t selinux_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat
> 
> 
> And if selinux_avcstat is part of the standard munin, I have no problem adding
> it.

Yes, it is.
Comment 6 Gabriele Pohl 2011-10-26 07:30:26 UTC 
(In reply to comment #3)
> First I wouldn't use telnet for this. 

What will you use instead to debug the missing values in munin graphs?
Using telnet is the recommended method described in Munins documentation wiki. 
Please add a recipe of your better way also there:
http://munin-monitoring.org/wiki/Debugging_Munin_plugins
Comment 7 Miroslav Grepl 2011-10-26 08:04:50 UTC 
Oops, I missed this is on your localhost. 

I thought the munin logs own events.
Comment 10 Miroslav Grepl 2012-01-26 09:00:38 UTC 
fixed in selinux-policy-3.7.19-136.el6
Comment 14 errata-xmlrpc 2012-06-20 12:28:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html