Bug 843455
| Summary: | munin_stats broken after upgrade to 6.3 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Alexander Kirillov <nevis2us> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3 | CC: | drjohnson1, dwalsh, ebenes, ingvar, kevin, mmalik, mtruneck |
| Target Milestone: | rc | ||
| Target Release: | 6.3 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-182.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:26:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This looks like it may be a policy issue in el6, moving to there for comment. Yes, we need to backport it from Fedora. Fixed in selinux-policy-3.7.19-159.el6 Here is another AVC. I just let munin daemon run and I discovered this during some non-related tests:
selinux-policy-3.7.19-162.el6.noarch
munin-1.4.7-5.el6.noarch
munin-node-1.4.7-5.el6.noarch
munin-common-1.4.7-5.el6.noarch
----
time->Mon Sep 24 15:55:03 2012
type=PATH msg=audit(1348494903.742:2273): item=0 name="/var/lib/munin/plugin-state/munin_stats-127.0.0.1" inode=278001 dev=fd:00 mode=0100664 ouid=99 ogid=491 rdev=00:00 obj=unconfined_u:object_r:munin_plugin_state_t:s0
type=CWD msg=audit(1348494903.742:2273): cwd="/"
type=SYSCALL msg=audit(1348494903.742:2273): arch=c000003e syscall=2 success=yes exit=3 a0=e56a50 a1=241 a2=1b6 a3=7f1d58f21be0 items=1 ppid=31621 pid=31795 auid=0 uid=99 gid=491 euid=99 suid=99 fsuid=99 egid=491 sgid=491 fsgid=491 tty=(none) ses=8 comm="munin_stats" exe="/usr/bin/perl" subj=unconfined_u:system_r:munin_t:s0 key=(null)
type=AVC msg=audit(1348494903.742:2273): avc: denied { write } for pid=31795 comm="munin_stats" name="munin_stats-127.0.0.1" dev=dm-0 ino=278001 scontext=unconfined_u:system_r:munin_t:s0 tcontext=unconfined_u:object_r:munin_plugin_state_t:s0 tclass=file
Fixed in selinux-policy-3.7.19-182.el6
# sesearch -A -s munin_t -t munin_t -c capability -p kill
Found 1 semantic av rules:
allow munin_t munin_t : capability { chown dac_override kill setgid setuid sys_rawio } ;
And what about the rule from Comment 7? allow munin_system_plugin_t munin_log_t:dir search; Should be also fixed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |
Description of problem: munin_stats plugin no longer works after upgrade to 6.3 Version-Release number of selected component (if applicable): munin-node-1.4.7-5.el6.noarch selinux-policy-targeted-3.7.19-155.el6_3.noarch Additional info: On a running system the problem could be fixed as follows: 1. Change the context of the plugin executable: # semanage fcontext -a \ > -t munin_system_plugin_exec_t '/usr/share/munin/plugins/munin_.*' Note: Actually this should replace a meaningless rule for '/usr/share/munin/plugins/munin_*' in the current targeted policy. # restorecon -Rv /usr/share/munin 2. Add the following rules to a local policy: type munin_system_plugin_t; type munin_log_t; type var_log_t; allow munin_system_plugin_t var_log_t:dir search; allow munin_system_plugin_t munin_log_t:dir search; allow munin_system_plugin_t munin_log_t:file { read open };