Bug 861911

Summary: unbound-munin doesn't work with SELinux enabled
Product: [Fedora] Fedora Reporter: Sander Hoentjen <sander>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, lvrabec, mgrepl, peter.meier, pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-24 17:22:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
unbound-munin.te
none
unbound-munin.fc none

Description Sander Hoentjen 2012-10-01 10:21:17 UTC 
Description of problem:
With SELinux in enforcing mode, the unbound-munin plugins don't work out of the box.

Version-Release number of selected component (if applicable):
1.4.16-2.el6

How reproducible:
Always

Steps to Reproduce:
1. Have selinux in enforcing mode
2. install unbound-munin and start munin-node
3. try to get the unbound stats
  
Actual results:
No stats

Expected results:
stats are collected

Additional info:
To fix it, one can manually change the type of /usr/share/munin/plugins/unbound to munin_system_plugin_exec_t, and allow munin_system_plugin_exec_t to read the unbound config file:

allow munin_system_plugin_t named_conf_t:file { read ioctl open getattr };

It would be nice if either unbound-munin supplied this, or it would be included in the default policy.
Comment 1 Sander Hoentjen 2012-10-02 09:50:49 UTC 
Created attachment 620201 [details]
unbound-munin.te
Comment 2 Sander Hoentjen 2012-10-02 09:58:24 UTC 
Created attachment 620206 [details]
unbound-munin.fc
Comment 3 Paul Wouters 2012-10-31 17:00:58 UTC 
Dan, can you update selinux-policy for this?
Comment 4 Daniel Walsh 2012-11-05 20:08:16 UTC 
Miroslav shouldn't the default label on /usr/share/munin/plugins be munin_plugin_exec_t?
Comment 5 Miroslav Grepl 2012-11-06 08:41:23 UTC 
Thanks for the patch. I added it to RHEL6/F18/F17.

Basically there should not be munin_exec_t labeling. If yes then this is a bug. We could consider to add this new type/domain for plugins which don't have correct labeling.