Bug 1076352 - SELinux is preventing /usr/bin/perl from using the net_admin capability.
Summary: SELinux is preventing /usr/bin/perl from using the net_admin capability.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: munin
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: d. johnson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-14 07:44 UTC by Juan Orti
Modified: 2015-03-16 23:07 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-03-16 23:07:18 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
ls -la /etc/munin/plugins/ (6.05 KB, text/plain)
2014-03-17 14:30 UTC, Juan Orti
no flags Details

Description Juan Orti 2014-03-14 07:44:21 UTC
SELinux is preventing /usr/bin/perl from using the net_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that perl should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep munin-node /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:munin_t:s0
Target Context                system_u:system_r:munin_t:s0
Target Objects                 [ capability ]
Source                        munin-node
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          <removed>
Source RPM Packages           perl-5.18.2-289.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-127.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <removed>
Platform                      Linux <removed> 3.13.6-200.fc20.x86_64
                              #1 SMP Fri Mar 7 17:02:28 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-03-13 21:58:42 CET
Last Seen                     2014-03-13 21:58:42 CET
Local ID                      2e912f32-6dd0-44ed-9d2e-bfcd22427956

Raw Audit Messages
type=AVC msg=audit(1394744322.336:219751): avc:  denied  { net_admin } for  pid=823 comm="munin-node" capability=12  scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:munin_t:s0 tclass=capability


type=SYSCALL msg=audit(1394744322.336:219751): arch=x86_64 syscall=stat success=yes exit=0 a0=207ac70 a1=1eac280 a2=1eac280 a3=0 items=0 ppid=1 pid=823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=munin-node exe=/usr/bin/perl subj=system_u:system_r:munin_t:s0 key=(null)

Hash: munin-node,munin_t,munin_t,capability,net_admin

Comment 1 Miroslav Grepl 2014-03-14 09:06:29 UTC
How did it happen? Do you know which plugin was used?

Comment 2 Juan Orti 2014-03-14 21:30:17 UTC
I installed these packages and started munin-node.service:

munin-node-2.0.19-1.fc20.noarch
munin-common-2.0.19-1.fc20.noarch
munin-2.0.19-1.fc20.noarch

I got that avc from the stock config, I didn't change anything. As I'm beginning to learn how munin works, I can't help you much on what it was doing.

Now I'm graphing some other servers and I'm getting tons of avc's, the munin policy seems rather broken :(

Comment 3 Daniel Walsh 2014-03-16 21:51:44 UTC
This indicates that munin code was trying to manipulate the network stack.

Comment 4 Juan Orti 2014-03-17 07:30:18 UTC
(In reply to Daniel Walsh from comment #3)
> This indicates that munin code was trying to manipulate the network stack.

Yes, it seems something it must not do.

Comment 5 d. johnson 2014-03-17 13:13:40 UTC
If you look in /etc/munin/plugins you can see which plugins are active.

Comment 6 Juan Orti 2014-03-17 14:30:01 UTC
Created attachment 875513 [details]
ls -la /etc/munin/plugins/

I haven't touch anything of this

Comment 7 d. johnson 2014-03-17 23:30:29 UTC
Most of those are the same as what I have, but I do not get the AVC's you have.  Want to look for the ones that dont match and see if they are the cause of your AVCs?

lrwxrwxrwx. 1 root root 28 Dec 31 19:50 cpu -> /usr/share/munin/plugins/cpu
lrwxrwxrwx. 1 root root 27 Dec 31 19:50 df -> /usr/share/munin/plugins/df
lrwxrwxrwx. 1 root root 33 Dec 31 19:50 df_inode -> /usr/share/munin/plugins/df_inode
lrwxrwxrwx. 1 root root 34 Dec 31 19:50 diskstats -> /usr/share/munin/plugins/diskstats
lrwxrwxrwx. 1 root root 32 Dec 31 19:50 entropy -> /usr/share/munin/plugins/entropy
lrwxrwxrwx. 1 root root 30 Dec 31 19:50 forks -> /usr/share/munin/plugins/forks
lrwxrwxrwx. 1 root root 35 Dec 31 19:50 fw_packets -> /usr/share/munin/plugins/fw_packets
lrwxrwxrwx. 1 root root 28 Dec 31 19:50 if_br0 -> /usr/share/munin/plugins/if_
lrwxrwxrwx. 1 root root 28 Dec 31 19:50 if_eno16777728 -> /usr/share/munin/plugins/if_
lrwxrwxrwx. 1 root root 32 Dec 31 19:50 if_err_br0 -> /usr/share/munin/plugins/if_err_
lrwxrwxrwx. 1 root root 32 Dec 31 19:50 if_err_eno16777728 -> /usr/share/munin/plugins/if_err_
lrwxrwxrwx. 1 root root 35 Dec 31 19:50 interrupts -> /usr/share/munin/plugins/interrupts
lrwxrwxrwx. 1 root root 33 Dec 31 19:50 irqstats -> /usr/share/munin/plugins/irqstats
lrwxrwxrwx. 1 root root 29 Dec 31 19:50 load -> /usr/share/munin/plugins/load
lrwxrwxrwx. 1 root root 31 Dec 31 19:50 memory -> /usr/share/munin/plugins/memory
lrwxrwxrwx. 1 root root 32 Dec 31 19:50 netstat -> /usr/share/munin/plugins/netstat
lrwxrwxrwx. 1 root root 29 Dec 31 19:50 nfsd -> /usr/share/munin/plugins/nfsd
lrwxrwxrwx. 1 root root 30 Dec 31 19:50 nfsd4 -> /usr/share/munin/plugins/nfsd4
lrwxrwxrwx. 1 root root 35 Dec 31 19:50 open_files -> /usr/share/munin/plugins/open_files
lrwxrwxrwx. 1 root root 36 Dec 31 19:50 open_inodes -> /usr/share/munin/plugins/open_inodes
lrwxrwxrwx. 1 root root 34 Dec 31 19:50 processes -> /usr/share/munin/plugins/processes
lrwxrwxrwx. 1 root root 33 Dec 31 19:50 proc_pri -> /usr/share/munin/plugins/proc_pri
lrwxrwxrwx. 1 root root 29 Dec 31 19:50 swap -> /usr/share/munin/plugins/swap
lrwxrwxrwx. 1 root root 32 Dec 31 19:50 threads -> /usr/share/munin/plugins/threads
lrwxrwxrwx. 1 root root 31 Dec 31 19:50 uptime -> /usr/share/munin/plugins/uptime
lrwxrwxrwx. 1 root root 30 Dec 31 19:50 users -> /usr/share/munin/plugins/users
lrwxrwxrwx. 1 root root 31 Dec 31 19:50 vmstat -> /usr/share/munin/plugins/vmstat

Comment 8 Juan Orti 2014-03-26 12:05:51 UTC
This is what I did in one of my nodes. I have triggered a SELinux relabel and reinstalled munin-node, but the net_admin errors continue appearing.

1. yum remove -y munin\*
2. rm -rf /etc/munin
3. yum update -y
4. touch /.autorelabel
5. reboot
6. yum install -y munin-node
7. I added a line in /etc/munin/munin-node.conf to allow my server:
     allow ^192\.168\.1\.1$

8. systemctl start munin-node
9. journalctl -a -b -u munin-node

mar 26 12:53:34 foo.example.com systemd[1]: Starting Munin Node Server....
mar 26 12:53:34 foo.example.com systemd[1]: Started Munin Node Server..
mar 26 12:53:38 foo.example.com python[2593]: SELinux is preventing /usr/bin/perl from using the net_admin capability.

                                                   *****  Plugin catchall (100. confidence) suggests   **************************

                                                   If you believe that perl should have the net_admin capability by default.
                                                   Then you should report this as a bug.
                                                   You can generate a local policy module to allow this access.
                                                   Do
                                                   allow this access for now by executing:
                                                   # grep munin-node /var/log/audit/audit.log | audit2allow -M mypol
                                                   # semodule -i mypol.pp

mar 26 12:53:38 foo.example.com python[2593]: SELinux is preventing /usr/bin/perl from using the net_admin capability.

                                                   *****  Plugin catchall (100. confidence) suggests   **************************

                                                   If you believe that perl should have the net_admin capability by default.
                                                   Then you should report this as a bug.
                                                   You can generate a local policy module to allow this access.
                                                   Do
                                                   allow this access for now by executing:
                                                   # grep munin-node /var/log/audit/audit.log | audit2allow -M mypol
                                                   # semodule -i mypol.pp

mar 26 12:53:38 foo.example.com python[2593]: SELinux is preventing /usr/bin/perl from using the net_admin capability.

                                                   *****  Plugin catchall (100. confidence) suggests   **************************

                                                   If you believe that perl should have the net_admin capability by default.
                                                   Then you should report this as a bug.
                                                   You can generate a local policy module to allow this access.
                                                   Do
                                                   allow this access for now by executing:
                                                   # grep munin-node /var/log/audit/audit.log | audit2allow -M mypol
                                                   # semodule -i mypol.pp

mar 26 12:53:38 foo.example.com python[2593]: SELinux is preventing /usr/bin/perl from using the net_admin capability.

                                                   *****  Plugin catchall (100. confidence) suggests   **************************

                                                   If you believe that perl should have the net_admin capability by default.
                                                   Then you should report this as a bug.
                                                   You can generate a local policy module to allow this access.
                                                   Do
                                                   allow this access for now by executing:
                                                   # grep munin-node /var/log/audit/audit.log | audit2allow -M mypol
                                                   # semodule -i mypol.pp

Comment 9 d. johnson 2014-03-26 13:31:56 UTC
We need to know which plugin is causing this.  As above, the plugins I have listed above do not require net_admin.

For the record:  "fixfiles -R munin,munin-common,munin-node restore" will restore labels for just those packages.

Comment 10 Juan Orti 2014-03-26 14:23:05 UTC
I've deleted all the symbolic links in /etc/munin/plugins, restarted the service and the problem persists.

Comment 11 d. johnson 2014-03-26 23:17:23 UTC
Did you install perl modules outside of what fedora provided ?  or install munin from source ?

I am unable to reproduce the issue you are describing on clean / updated f20 systems, so I am very curious what makes your system different.

Comment 12 Juan Orti 2014-03-27 21:19:53 UTC
I've tried it in other two different systems and I also can't reproduce it. So it must be some oddity in that system, I'll investigate it further.

You can close the bug, thank you.

Comment 13 Richard Shaw 2015-03-05 19:27:19 UTC
I'm having this problem on Fedora 21 x86_64...

Comment 14 d. johnson 2015-03-07 04:53:40 UTC
Richard- Please provide the versions and additional information to review.

Comment 15 Richard Shaw 2015-03-16 20:01:55 UTC
$ rpm -qa | grep munin
munin-node-2.0.25-1.fc21.noarch
munin-common-2.0.25-1.fc21.noarch
munin-2.0.25-1.fc21.noarch

Comment 16 d. johnson 2015-03-16 23:07:18 UTC
Richard- Perhaps it would be best if you would open a new bug report with your actual details in it.  So far, you have not provided enough to investigate.


Note You need to log in before you can comment on or make changes to this bug.