Description of problem: /usr/share/munin/plugins/mysql_ fails to do its checks with: Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85 Version-Release number of selected component (if applicable): munin-node-2.0.24-1.fc21.noarch How reproducible: Always Steps to Reproduce: 1. Configure links in /etc/munin/plugins mysql_connections -> /usr/share/munin/plugins/mysql_ 2. Configure /etc/munin/plugin-conf.d/mysql [mysql_*] env.mysqlconnection DBI:mysql:mysql env.mysqluser munin env.mysqlpassword mypassword 3. Query the plugin from the master node Actual results: 2014/11/14-13:20:03 [11632] Error output from mysql_innodb_bpool: 2014/11/14-13:20:03 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:03 [11632] Service 'mysql_innodb_bpool' exited with status 13/0. 2014/11/14-13:20:03 [11632] Error output from mysql_innodb_bpool: 2014/11/14-13:20:03 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:03 [11632] Service 'mysql_innodb_bpool' exited with status 13/0. 2014/11/14-13:20:03 [11632] Error output from mysql_innodb_tnx: 2014/11/14-13:20:03 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:03 [11632] Service 'mysql_innodb_tnx' exited with status 13/0. 2014/11/14-13:20:04 [11632] Error output from mysql_innodb_tnx: 2014/11/14-13:20:04 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:04 [11632] Service 'mysql_innodb_tnx' exited with status 13/0. 2014/11/14-13:20:04 [11632] Error output from mysql_innodb_log: 2014/11/14-13:20:04 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:04 [11632] Service 'mysql_innodb_log' exited with status 13/0. 2014/11/14-13:20:04 [11632] Error output from mysql_innodb_log: 2014/11/14-13:20:04 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:04 [11632] Service 'mysql_innodb_log' exited with status 13/0. 2014/11/14-13:20:05 [11632] Error output from mysql_innodb_semaphores: 2014/11/14-13:20:05 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:05 [11632] Service 'mysql_innodb_semaphores' exited with status 13/0. 2014/11/14-13:20:05 [11632] Error output from mysql_innodb_semaphores: 2014/11/14-13:20:05 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:05 [11632] Service 'mysql_innodb_semaphores' exited with status 13/0. 2014/11/14-13:20:06 [11632] Error output from bind9: 2014/11/14-13:20:06 [11632] Permission denied at /etc/munin/plugins/bind9 line 79. 2014/11/14-13:20:06 [11632] Service 'bind9' exited with status 13/0. 2014/11/14-13:20:07 [11632] Error output from mysql_innodb_insert_buf: 2014/11/14-13:20:07 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:07 [11632] Service 'mysql_innodb_insert_buf' exited with status 13/0. 2014/11/14-13:20:13 [11632] Error output from mysql_innodb_io_pend: 2014/11/14-13:20:13 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:13 [11632] Service 'mysql_innodb_io_pend' exited with status 13/0. 2014/11/14-13:20:15 [11632] Error output from mysql_innodb_io: 2014/11/14-13:20:15 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:15 [11632] Service 'mysql_innodb_io' exited with status 13/0. 2014/11/14-13:20:15 [11632] Error output from mysql_innodb_io: 2014/11/14-13:20:15 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:15 [11632] Service 'mysql_innodb_io' exited with status 13/0. 2014/11/14-13:20:15 [11632] Error output from mysql_files_tables: 2014/11/14-13:20:15 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:15 [11632] Service 'mysql_files_tables' exited with status 13/0. 2014/11/14-13:20:15 [11632] Error output from mysql_files_tables: 2014/11/14-13:20:15 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:15 [11632] Service 'mysql_files_tables' exited with status 13/0. 2014/11/14-13:20:16 [11632] Error output from mysql_commands: 2014/11/14-13:20:16 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:16 [11632] Service 'mysql_commands' exited with status 13/0. 2014/11/14-13:20:16 [11632] Error output from mysql_commands: 2014/11/14-13:20:16 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:16 [11632] Service 'mysql_commands' exited with status 13/0. 2014/11/14-13:20:17 [11632] Error output from mysql_myisam_indexes: 2014/11/14-13:20:17 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:17 [11632] Service 'mysql_myisam_indexes' exited with status 13/0. 2014/11/14-13:20:17 [11632] Error output from mysql_myisam_indexes: 2014/11/14-13:20:17 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:17 [11632] Service 'mysql_myisam_indexes' exited with status 13/0. 2014/11/14-13:20:19 [11632] Error output from mysql_slow: 2014/11/14-13:20:19 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:19 [11632] Service 'mysql_slow' exited with status 13/0. 2014/11/14-13:20:19 [11632] Error output from mysql_slow: 2014/11/14-13:20:19 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:19 [11632] Service 'mysql_slow' exited with status 13/0. 2014/11/14-13:20:19 [11632] Error output from mysql_tmp_tables: 2014/11/14-13:20:19 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:19 [11632] Service 'mysql_tmp_tables' exited with status 13/0. 2014/11/14-13:20:20 [11632] Error output from mysql_tmp_tables: 2014/11/14-13:20:20 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:20 [11632] Service 'mysql_tmp_tables' exited with status 13/0. 2014/11/14-13:20:20 [11632] Error output from mysql_bin_relay_log: 2014/11/14-13:20:20 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:20 [11632] Service 'mysql_bin_relay_log' exited with status 13/0. 2014/11/14-13:20:20 [11632] Error output from mysql_bin_relay_log: 2014/11/14-13:20:20 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:20 [11632] Service 'mysql_bin_relay_log' exited with status 13/0. 2014/11/14-13:20:21 [11632] Error output from mysql_replication: 2014/11/14-13:20:21 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:21 [11632] Service 'mysql_replication' exited with status 13/0. 2014/11/14-13:20:21 [11632] Error output from mysql_replication: 2014/11/14-13:20:21 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:21 [11632] Service 'mysql_replication' exited with status 13/0. 2014/11/14-13:20:22 [11632] Error output from mysql_qcache_mem: 2014/11/14-13:20:22 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:22 [11632] Service 'mysql_qcache_mem' exited with status 13/0. 2014/11/14-13:20:22 [11632] Error output from mysql_qcache_mem: 2014/11/14-13:20:22 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:22 [11632] Service 'mysql_qcache_mem' exited with status 13/0. 2014/11/14-13:20:23 [11632] Error output from mysql_connections: 2014/11/14-13:20:23 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:23 [11632] Service 'mysql_connections' exited with status 13/0. 2014/11/14-13:20:23 [11632] Error output from mysql_connections: 2014/11/14-13:20:23 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:23 [11632] Service 'mysql_connections' exited with status 13/0. 2014/11/14-13:20:23 [11632] Error output from mysql_table_locks: 2014/11/14-13:20:23 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:23 [11632] Service 'mysql_table_locks' exited with status 13/0. 2014/11/14-13:20:24 [11632] Error output from mysql_table_locks: 2014/11/14-13:20:24 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:24 [11632] Service 'mysql_table_locks' exited with status 13/0. 2014/11/14-13:20:24 [11632] Error output from mysql_sorts: 2014/11/14-13:20:24 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:24 [11632] Service 'mysql_sorts' exited with status 13/0. 2014/11/14-13:20:25 [11632] Error output from mysql_sorts: 2014/11/14-13:20:25 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:25 [11632] Service 'mysql_sorts' exited with status 13/0. 2014/11/14-13:20:25 [11632] Error output from mysql_qcache: 2014/11/14-13:20:25 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:25 [11632] Service 'mysql_qcache' exited with status 13/0. 2014/11/14-13:20:25 [11632] Error output from mysql_qcache: 2014/11/14-13:20:25 [11632] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2014/11/14-13:20:25 [11632] Service 'mysql_qcache' exited with status 13/0. Expected results: Graphs being generated
Is this a duplicate of: Bug 1140015 - Munin mysql plugin fails to parse MariaDB status ?
(In reply to d. johnson from comment #1) > Is this a duplicate of: > Bug 1140015 - Munin mysql plugin fails to parse MariaDB status ? No, it looks like a different problem.
Test with munin-2.0.25-2.fc21.noarch and see if that helps.
Hint: it might be an SELinux related issue, investing this right now.
Most likely is selinux: strace of process <pre> [pid 19353] semop(229381, {{1, 0, 0}, {2, 0, 0}, {2, 1, SEM_UNDO}}, 3) = 0 [pid 19353] shmat(65537, 0, 0) = ? [pid 19353] shmdt(0x7f1df423f000) = 0 [pid 19353] shmctl(65537, IPC_RMID, 0) = -1 EPERM (Operation not permitted) </pre> It gets hidden by some dontaudit rules (centos 6) <pre> sesearch --dontaudit | grep shm | grep munin dontaudit munin_plugin_domain nscd_t : nscd { shmempwd shmemgrp shmemhost getserv shmemserv } ; dontaudit munin_system_plugin_t nscd_t : nscd { shmempwd shmemgrp shmemhost getserv shmemserv } ; dontaudit munin_t nscd_t : nscd { shmempwd shmemgrp shmemhost getserv shmemserv } ; dontaudit httpd_munin_script_t nscd_t : nscd { shmempwd shmemgrp shmemhost getserv shmemserv } ; dontaudit munin_system_plugin_t nscd_t : nscd { shmempwd shmemgrp shmemhost getserv shmemserv } ; dontaudit munin_t nscd_t : nscd { shmempwd shmemgrp shmemhost getserv shmemserv } ; </pre>
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Still a problem in munin-node-2.0.40-2.fc28.noarch 2018/09/06-18:50:06 [6602] Error output from mysql_: 2018/09/06-18:50:06 [6602] Failed to create share at /usr/share/perl5/vendor_perl/Cache/SharedMemoryBackend.pm line 85. 2018/09/06-18:50:06 [6602] Service 'mysql_' exited with status 13/0. I get these AVCs: sep 06 18:55:05 server audit[7257]: AVC avc: denied { unix_read unix_write } for pid=7257 comm="mysql_" key=1667461225 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem permissive=0 sep 06 18:55:05 server audit[7258]: AVC avc: denied { unix_read unix_write } for pid=7258 comm="mysql_" key=1667461225 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem permissive=0
Also affecting epel 7.
Created attachment 1483452 [details] Munin patch for rhel 7.5 apache policy Actually policy requires bits needed for nginx and uwsgi to work but intresting for this bug are munin parts. AVC messages are included in patch file.
Created attachment 1483453 [details] Munin patch for rhel 7.5 bind policy This patch contains parts needed to fix munin unbound_ plugin to work.
Created attachment 1483454 [details] Munin patch for rhel 7.5 munin policy
Created attachment 1483455 [details] Munin patch for rhel 7.5 tmpreaper policy Necessary patches to tmpreaper policy for munin master cleanup.
bug #1164245 includes necessary patch to fix this issue.
Actually bug #1426141 has a fix in these patches.
is: allow services_munin_plugin_t self:shm create_sem_perms; a typo and meant to be: allow services_munin_plugin_t self:shm create_shm_perms;
Not a typo, but actually you are right, create_sem_perms would be enough, that leaves out lock permission.
Hmh. You suggested other way around - I used minimum permission set required - create_sem_perms is more limited set but yes, create_shm_perms would of course work too.
I don't follow there being a super/subset relation, just other locations I've found these selinux rules, I see 'self:sem create_sem_perms' (already there for services_munin_plugin_t) and then 'self:shm create_shm_perms' so I assumed create_shm_perms was tied to self:shm in the same way create_sem_perms was tied to self:sem.
Actually - my patch didn't change those permissions - they are in original policy. But those "permission sets" are just names for list of permissions. There is no mistake.
Ok - found the list definition (at least in ref policy) - https://github.com/TresysTechnology/refpolicy/blob/master/policy/support/obj_perm_sets.spt#L131 Thanks for fixing this.
Since tmpreaper policy is being modified, including a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1636926 would be appropriate.
I don't understand, what you would like to allow in SELinux policy in this bug?
Patches included add support for munin plugins to several different selinux policy modules. Some patches include other stuff too but at the beginning there is AVC messages and you can find relevant changes to fix munin plugins to work with subsystems. For example apache policy includes fixes for uwsgi and nginx too but with AVCs you can easily find out changes which are relevant to munin. Problem is default fedora/rhel policies don't allow use of munin monitoring with selinux protection. I'm very sure these changes don't fix all problems out there, these are changes required for basic munin packaging to work and fixing some modules to work.
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.