Bug 886704

Summary:

SELinux is preventing /usr/sbin/postconf from 'create' accesses on the tcp_socket .

Product:

[Fedora] Fedora

Reporter:

Till Maas <opensource>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

dominick.grift, dwalsh, mgrepl, opensource

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Unspecified

Whiteboard:

abrt_hash:7254400ae9b9b284281ffa8123c8966fd1b7aaaf7630384434d42166244e8ca1

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2013-01-07 03:57:27 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
File: type	none
File: hashmarkername	none

Description Till Maas 2012-12-12 22:51:38 UTC

Description of problem:
After I installed munin and got it to run, the error happens.

Additional info:
libreport version: 2.0.18
kernel:         3.6.9-2.fc17.x86_64

description:
:SELinux is preventing /usr/sbin/postconf from 'create' accesses on the tcp_socket .
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If sie denken, dass postconf standardmässig erlaubt sein sollte, create Zugriff auf  tcp_socket zu erhalten.
:Then sie sollten dies als Fehler melden.
:Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
:Do
:zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
:# grep postconf /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:mail_munin_plugin_t:s0
:Target Context                system_u:system_r:mail_munin_plugin_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        postconf
:Source Path                   /usr/sbin/postconf
:Port                          <Unbekannt>
:Host                          (removed)
:Source RPM Packages           postfix-2.9.4-3.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.9-2.fc17.x86_64 #1 SMP Tue Dec
:                              4 13:26:04 UTC 2012 x86_64 x86_64
:Alert Count                   173
:First Seen                    2012-12-12 16:42:07 CET
:Last Seen                     2012-12-12 23:45:11 CET
:Local ID                      93c735d0-8c75-4ec1-b24b-287bda7765f3
:
:Raw Audit Messages
:type=AVC msg=audit(1355352311.313:3709): avc:  denied  { create } for  pid=20538 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1355352311.313:3709): arch=x86_64 syscall=socket success=no exit=EACCES a0=2 a1=1 a2=0 a3=15 items=0 ppid=20537 pid=20538 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm=postconf exe=/usr/sbin/postconf subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
:
:Hash: postconf,mail_munin_plugin_t,mail_munin_plugin_t,tcp_socket,create
:
:audit2allow
:
:#============= mail_munin_plugin_t ==============
:allow mail_munin_plugin_t self:tcp_socket create;
:
:audit2allow -R
:
:#============= mail_munin_plugin_t ==============
:allow mail_munin_plugin_t self:tcp_socket create;
:

Comment 1 Till Maas 2012-12-12 22:51:41 UTC

Created attachment 662671 [details]
File: type

Comment 2 Till Maas 2012-12-12 22:51:43 UTC

Created attachment 662672 [details]
File: hashmarkername

Comment 3 Till Maas 2012-12-20 20:00:29 UTC

It happens with munin monitoring.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)

Comment 4 Till Maas 2012-12-28 15:44:54 UTC

It happens if munin-node is used.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)

Comment 5 Miroslav Grepl 2013-01-02 11:16:27 UTC

Till,
could you execute

# semanage permissve -a mail_munin_plugin_t

and re-test to collect all AVC msgs. Thank you.

Then execute

# semanage permissve -d mail_munin_plugin_t

Comment 6 Till Maas 2013-01-02 16:55:36 UTC

Is there an easy way to get the list of all AVC messages that have not yet been reported?

(In reply to comment #5)
> Till,
> could you execute
> 
> # semanage permissve -a mail_munin_plugin_t
> 
> and re-test to collect all AVC msgs. Thank you.

----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.616:9084): arch=c000003e syscall=41 success=yes exit=3 a0=2 a1=1 a2=0 a3=15 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.616:9084): avc:  denied  { create } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=tcp_socket
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.617:9085): arch=c000003e syscall=2 success=yes exit=3 a0=7ff0fe1cf36e a1=80000 a2=1b6 a3=238 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.617:9085): avc:  denied  { open } for  pid=16887 comm="postconf" path="/etc/resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1357145550.617:9085): avc:  denied  { read } for  pid=16887 comm="postconf" name="resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.617:9086): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff093a8f90 a2=7fff093a8f90 a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.617:9086): avc:  denied  { getattr } for  pid=16887 comm="postconf" path="/etc/resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.618:9087): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=3 a2=0 a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.618:9087): avc:  denied  { create } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_route_socket
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.618:9088): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=7fff093ab820 a2=c a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.618:9088): avc:  denied  { bind } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_route_socket
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.618:9089): arch=c000003e syscall=51 success=yes exit=0 a0=3 a1=7fff093ab820 a2=7fff093ab81c a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.618:9089): avc:  denied  { getattr } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_route_socket
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.618:9090): arch=c000003e syscall=44 success=yes exit=20 a0=3 a1=7fff093ab7a0 a2=14 a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.618:9090): avc:  denied  { nlmsg_read } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_route_socket

Comment 7 Till Maas 2013-01-02 16:57:42 UTC

Here are some more:
time->Wed Jan  2 17:55:47 2013 
type=SYSCALL msg=audit(1357145747.350:9096): arch=c000003e syscall=41 success=yes exit=3 a0=2 a1=1 a2=0 a3=15 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid
=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.350:9096): avc:  denied  { create } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=tcp_soc
ket
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.368:9097): arch=c000003e syscall=2 success=yes exit=3 a0=7fb2a73e036e a1=80000 a2=1b6 a3=238 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid
=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.368:9097): avc:  denied  { open } for  pid=17614 comm="postconf" path="/etc/resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:ob
ject_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1357145747.368:9097): avc:  denied  { read } for  pid=17614 comm="postconf" name="resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_
r:net_conf_t:s0 tclass=file
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.368:9098): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff74ba6670 a2=7fff74ba6670 a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 e
gid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.368:9098): avc:  denied  { getattr } for  pid=17614 comm="postconf" path="/etc/resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u
:object_r:net_conf_t:s0 tclass=file
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.369:9099): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=3 a2=0 a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid
=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.369:9099): avc:  denied  { create } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink
_route_socket
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.371:9100): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=7fff74ba8f00 a2=c a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgi
d=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.371:9100): avc:  denied  { bind } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_r
oute_socket
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.371:9101): arch=c000003e syscall=51 success=yes exit=0 a0=3 a1=7fff74ba8f00 a2=7fff74ba8efc a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 
egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.371:9101): avc:  denied  { getattr } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlin
k_route_socket
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.371:9102): arch=c000003e syscall=44 success=yes exit=20 a0=3 a1=7fff74ba8e80 a2=14 a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 s
gid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.371:9102): avc:  denied  { nlmsg_read } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=net
link_route_socket
----
time->Wed Jan  2 17:55:51 2013
type=SYSCALL msg=audit(1357145751.362:9104): arch=c000003e syscall=4 success=no exit=-13 a0=1d28ec0 a1=7fffeebb9990 a2=7fffeebb9990 a3=b items=0 ppid=17800 pid=17801 auid=4294967295 uid=99 gid=99 euid=99 suid=99
 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="sntp.sh" exe="/usr/bin/bash" subj=system_u:system_r:services_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145751.362:9104): avc:  denied  { getattr } for  pid=17801 comm="sntp.sh" path="/usr/sbin/sntp" dev="dm-1" ino=195911 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_
u:object_r:ntpdate_exec_t:s0 tclass=file
----
time->Wed Jan  2 17:55:51 2013
type=SYSCALL msg=audit(1357145751.361:9103): arch=c000003e syscall=4 success=no exit=-13 a0=1d28ec0 a1=7fffeebb9990 a2=7fffeebb9990 a3=f items=0 ppid=17800 pid=17801 auid=4294967295 uid=99 gid=99 euid=99 suid=99
 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="sntp.sh" exe="/usr/bin/bash" subj=system_u:system_r:services_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145751.361:9103): avc:  denied  { getattr } for  pid=17801 comm="sntp.sh" path="/usr/sbin/sntp" dev="dm-1" ino=195911 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_
u:object_r:ntpdate_exec_t:s0 tclass=file

Comment 8 Miroslav Grepl 2013-01-03 09:16:20 UTC

Thank you for testing. I added fixes.

Comment 9 Fedora Update System 2013-01-03 13:05:32 UTC

selinux-policy-3.10.0-166.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17

Comment 10 Fedora Update System 2013-01-05 06:37:35 UTC

Package selinux-policy-3.10.0-166.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2013-01-07 03:57:29 UTC

selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.