Bug 1126538 - SELinux blocks Munin plugin 'yum' from executing yum
Summary: SELinux blocks Munin plugin 'yum' from executing yum
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Stefan Kremen
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-04 16:57 UTC by Gabriele Pohl
Modified: 2015-07-22 07:08 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-261.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-22 07:08:13 UTC


Attachments (Terms of Use)
content of .te file, which was created with audit2allow fed with the log messages (1.36 KB, text/plain)
2014-08-04 17:01 UTC, Gabriele Pohl
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1375 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-07-20 18:07:47 UTC

Description Gabriele Pohl 2014-08-04 16:57:59 UTC
Description of problem:

The plugin calls yum to check for updates. This results in a lot of AVC-Denials.

Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-231.el6_5.3.noarch

How reproducible:

Setup cronjob in /etc/cron.d/munin which is intended to fill the statefile:

30 */6 * * * root /usr/sbin/munin-run yum update


Actual results:

type=AVC msg=audit(1407169681.384:992): avc:  denied  { execute } for  pid=15029 comm="yum" name="yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=AVC msg=audit(1407169681.384:992): avc:  denied  { read open } for  pid=15029 comm="yum" name="yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=AVC msg=audit(1407169681.384:992): avc:  denied  { execute_no_trans } for  pid=15029 comm="yum" path="/usr/bin/yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1407169681.384:992): arch=c000003e syscall=59 success=yes exit=0 a0=7fff99048825 a1=19cfd80 a2=19bd110 a3=7fff99048660 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169681.394:993): avc:  denied  { getattr } for  pid=15029 comm="yum" path="/usr/bin/yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1407169681.394:993): arch=c000003e syscall=6 success=yes exit=0 a0=7fffadae20d0 a1=7fffadadefd0 a2=7fffadadefd0 a3=7fffadadee20 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169681.394:994): avc:  denied  { ioctl } for  pid=15029 comm="yum" path="/usr/bin/yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1407169681.394:994): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffadae3050 a3=7fffadae2ea0 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169681.464:995): avc:  denied  { open } for  pid=15029 comm="yum" name="Packages" dev=dm-2 ino=131079 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file

type=SYSCALL msg=audit(1407169681.464:995): arch=c000003e syscall=2 success=yes exit=3 a0=104cd20 a1=0 a2=0 a3=16 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169681.465:996): avc:  denied  { open } for  pid=15029 comm="yum" name="uuid" dev=dm-2 ino=131090 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file

type=SYSCALL msg=audit(1407169681.465:996): arch=c000003e syscall=2 success=yes exit=3 a0=13611b0 a1=0 a2=1b6 a3=0 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169681.466:997): avc:  denied  { getattr } for  pid=15029 comm="yum" path="/dev/log" dev=devtmpfs ino=11049 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1407169681.466:997): arch=c000003e syscall=4 success=yes exit=0 a0=13611b0 a1=7fffadae1b20 a2=7fffadae1b20 a3=20 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169681.466:998): avc:  denied  { create } for  pid=15029 comm="yum" scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

type=SYSCALL msg=audit(1407169681.466:998): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=2 a2=0 a3=7fffadae0bb8 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169681.466:999): avc:  denied  { connect } for  pid=15029 comm="yum" scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

type=AVC msg=audit(1407169681.466:999): avc:  denied  { write } for  pid=15029 comm="yum" name="log" dev=devtmpfs ino=11049 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file

type=AVC msg=audit(1407169681.466:999): avc:  denied  { sendto } for  pid=15029 comm="yum" path="/dev/log" scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket

type=SYSCALL msg=audit(1407169681.466:999): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fffadae12f0 a2=a a3=7fffadae1018 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169681.487:1000): avc:  denied  { write } for  pid=15029 comm="yum" name="6" dev=dm-2 ino=9659 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir

type=AVC msg=audit(1407169681.487:1000): avc:  denied  { add_name } for  pid=15029 comm="yum" name="yum.pid" scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir

type=AVC msg=audit(1407169681.487:1000): avc:  denied  { create } for  pid=15029 comm="yum" name="yum.pid" scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_script_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1407169681.487:1000): arch=c000003e syscall=2 success=yes exit=4 a0=15c92a0 a1=c1 a2=1a4 a3=7fffadae22d8 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169681.538:1001): avc:  denied  { name_connect } for  pid=15029 comm="yum" dest=443 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1407169681.538:1001): arch=c000003e syscall=42 success=no exit=-115 a0=5 a1=7fffadadf1b0 a2=10 a3=0 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169682.855:1002): avc:  denied  { remove_name } for  pid=15029 comm="yum" name="metalink.xml.tmp" dev=dm-2 ino=9731 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir

type=AVC msg=audit(1407169682.855:1002): avc:  denied  { rename } for  pid=15029 comm="yum" name="metalink.xml.tmp" dev=dm-2 ino=9731 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_script_tmp_t:s0 tclass=file

type=AVC msg=audit(1407169682.855:1002): avc:  denied  { unlink } for  pid=15029 comm="yum" name="metalink.xml" dev=dm-2 ino=9741 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_script_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1407169682.855:1002): arch=c000003e syscall=82 success=yes exit=0 a0=17d0290 a1=1703260 a2=7ff5beff9a08 a3=2f362f34365f3638 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169682.922:1003): avc:  denied  { read } for  pid=15029 comm="yum" name="base" dev=dm-2 ino=9662 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir

type=SYSCALL msg=audit(1407169682.922:1003): arch=c000003e syscall=2 success=yes exit=4 a0=16f2530 a1=90800 a2=0 a3=2f362f34365f3638 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169682.924:1004): avc:  denied  { setattr } for  pid=15029 comm="yum" name="repomd.xml.old.tmp" dev=dm-2 ino=9732 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_script_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1407169682.924:1004): arch=c000003e syscall=235 success=yes exit=0 a0=1702ef0 a1=7fffadae0340 a2=7ff5beff9a08 a3=7fffadae00c0 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169684.625:1005): avc:  denied  { read } for  pid=15029 comm="yum" name="/" dev=vda1 ino=2 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=dir

type=SYSCALL msg=audit(1407169684.625:1005): arch=c000003e syscall=2 success=yes exit=12 a0=4e6ca30 a1=90800 a2=0 a3=20 items=0 ppid=15028 pid=15029 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169684.702:1006): avc:  denied  { execute } for  pid=15214 comm="yum" name="yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=AVC msg=audit(1407169684.702:1006): avc:  denied  { read open } for  pid=15214 comm="yum" name="yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=AVC msg=audit(1407169684.702:1006): avc:  denied  { execute_no_trans } for  pid=15214 comm="yum" path="/usr/bin/yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1407169684.702:1006): arch=c000003e syscall=59 success=yes exit=0 a0=7fff99048825 a1=19d28d0 a2=19bd110 a3=7fff99048660 items=0 ppid=15028 pid=15214 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169684.713:1007): avc:  denied  { getattr } for  pid=15214 comm="yum" path="/usr/bin/yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1407169684.713:1007): arch=c000003e syscall=6 success=yes exit=0 a0=7fff4c5baa40 a1=7fff4c5b7940 a2=7fff4c5b7940 a3=7fff4c5b7790 items=0 ppid=15028 pid=15214 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1407169684.713:1008): avc:  denied  { ioctl } for  pid=15214 comm="yum" path="/usr/bin/yum" dev=dm-0 ino=8257 scontext=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1407169684.713:1008): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff4c5bb9c0 a3=7fff4c5bb810 items=0 ppid=15028 pid=15214 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=128 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:munin_system_plugin_t:s0-s0:c0.c1023 key=(null)


Expected results:

check for updates with yum should work


Additional info:

Comment 1 Gabriele Pohl 2014-08-04 17:01:57 UTC
Created attachment 923966 [details]
content of .te file, which was created with audit2allow fed with the log messages

Comment 3 Miroslav Grepl 2014-09-09 07:28:26 UTC
Lukas,
maybe we want to think about a new plugin domain for yum.

Comment 4 Miroslav Grepl 2015-03-02 13:27:41 UTC
commit eaa09c8026354cb149c35d972302c6ad71105ca8
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Mar 2 14:27:14 2015 +0100

    Make munin yum plugin as unconfined by default.

Comment 9 errata-xmlrpc 2015-07-22 07:08:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html


Note You need to log in before you can comment on or make changes to this bug.