| Summary: | Some munin plugins lack proper SELinux policies | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Paavo Pokkinen <paveq2> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.0 | CC: | drjohnson1, dwalsh, ebenes, ingvar, kevin, mmalik | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 6.3 | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.7.19-136.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-06-20 12:29:36 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Created attachment 542530 [details]
Output to audit.log
Moving to selinux-policy for comment. Paavo, do you know which plugins causes AVC msgs for munin_disk_plugin_t domain? I think it is diskstats plugin. Could be also df or df_inode. Also, perhaps unrelated to this, I think /var/lib/munin/plugin-state might have wrong permissions. Some plugins are running as nobody with group munin, and then can't create files there. I solved this with chmod 775. Fixed in selinux-policy-3.7.19-136.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |
Description of problem: Some munin plugins try to communicate with nscd without proper selinux policies. This results flooding of /var/log/audit/audit.log Version-Release number of selected component (if applicable): Name : munin-node Arch : noarch Version : 1.4.6 Release : 4.el6.2 Size : 1.1 M Repo : installed From repo : epel How reproducible: Steps to Reproduce: 1. Install munin-node 2. Use plugins postfix_mailqueue or http_loadtime, probably others 3. Observe /var/log/audit/audit.log Actual results: Expected results: Additional info: audit2allow outputs: #============= munin_disk_plugin_t ============== allow munin_disk_plugin_t nscd_t:nscd shmempwd; allow munin_disk_plugin_t nscd_t:unix_stream_socket connectto; allow munin_disk_plugin_t nscd_var_run_t:file read; allow munin_disk_plugin_t nscd_var_run_t:sock_file write; #============= munin_mail_plugin_t ============== allow munin_mail_plugin_t nscd_t:nscd shmempwd; allow munin_mail_plugin_t nscd_t:unix_stream_socket connectto; allow munin_mail_plugin_t nscd_var_run_t:file read; allow munin_mail_plugin_t nscd_var_run_t:sock_file write; #============= munin_services_plugin_t ============== allow munin_services_plugin_t nscd_t:nscd { shmempwd shmemhost shmemserv gethost }; allow munin_services_plugin_t nscd_t:unix_stream_socket connectto; allow munin_services_plugin_t nscd_var_run_t:file read; allow munin_services_plugin_t nscd_var_run_t:sock_file write;