Description of problem: MRTG fails to run from cron, and mails errors to root. Version-Release number of selected component (if applicable): policy-1.9-5 mrtg-2.10.5-2.1 How reproducible: 100% Steps to Reproduce: 1. Wait 5 minutes for mrtg cronjob to run 2. Check root mail 3. Actual results: From root@foo Sun Mar 21 23:25:02 2004 Date: Sun, 21 Mar 2004 23:25:00 -0500 From: root@foo (Cron Daemon) To: root@foo Subject: Cron <root@foo> /usr/bin/mrtg /etc/mrtg/mrtg.cfg X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> Use of uninitialized value in string at /usr/bin/mrtg line 72. Empty compile time value given to use lib at /usr/bin/mrtg line 72 Use of uninitialized value in concatenation (.) or string at /usr/bin/mrtg line 73. Can't locate MRTG_lib.pm in @INC (@INC contains: /../lib/mrtg2 /usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3 /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/bin/mrtg line 78. BEGIN failed--compilation aborted at /usr/bin/mrtg line 78. Expected results: Additional info: It appears that some magic is used to find the MRTG_lib.pm: use FindBin; use lib "${FindBin::Bin}"; use lib "${FindBin::Bin}${main::SL}..${main::SL}lib${main::SL}mrtg2"; which appears to expand to: /../lib/mrtg2 when run from cron. Running from root:sysadmin_r:sysadm_t works, of course. Does /usr/lib/mrtg2 need to be relabelled? [root@foo root]# ls --lcontext -d /usr/lib/mrtg2 drwxr-xr-x 3 system_u:object_r:lib_t root root 4096 Mar 21 22:18 /usr/lib/mrtg2 [root@foo root]# ls --lcontext /usr/lib/mrtg2 total 424 -rw-r--r-- 1 system_u:object_r:lib_t root root 26178 Mar 12 14:26 BER.pm -rw-r--r-- 1 system_u:object_r:lib_t root root 218921 Mar 12 14:26 locales_mrtg.pm -rw-r--r-- 1 system_u:object_r:lib_t root root 69261 Mar 12 14:26 MRTG_lib.pm drwxr-xr-x 2 system_u:object_r:lib_t root root 4096 Mar 21 22:18 Pod -rw-r--r-- 1 system_u:object_r:lib_t root root 33720 Mar 12 14:26 SNMP_Session.pm -rw-r--r-- 1 system_u:object_r:lib_t root root 38889 Mar 12 14:26 SNMP_util.pm
AVC messages when attempting to run /usr/bin/mrtg from user account: audit(1079943080.358:0): avc: denied { getattr } for pid=3637 exe=/usr/bin/perl path=/usr/lib/mrtg2 dev=hda6 ino=870680 scontext=user_u:user_r:user_t tcontext=system_u:object_r:mrtg_exec_t tclass=dir audit(1079943080.358:0): avc: denied { search } for pid=3637 exe=/usr/bin/perl name=mrtg2 dev=hda6 ino=870680 scontext=user_u:user_r:user_t tcontext=system_u:object_r:mrtg_exec_t tclass=dir
I can confirm the messages to root about mrtg failing. This happens only with SELinux active.
Can you attach your mrtg.cfg? Have you changed it at all since the rpm install?
I have not changed it from the mrtg.cfg that is included in the rpm install. Users who install mrtg, but do not configure/use it, will get the above e-mail to root every 5 minutes.
Ok, I can reproduce this now - I had an older version of mrtg and policy installed. So this is actually a regression.
I'm pretty sure now this is a bug in FindBin...let me see if I can come up with a patch.
Created attachment 98855 [details] Fix findbin when access to cwd is denied
Reassigning to Perl.
For the perl maintainer - the issue here is that mrtg runs in a restricted domain, mrtg_t. This domain doesn't have access to the system administrator's home directory. However, the mrtg cron job starts in this directory. The FindBin perl module was calling abspath on the detected "bin" directory, which itself looked at the cwd. Since access failed, it immediately returned undef. This caused the bin directory to not be detected. The above patch fixes the FindBin perl module to only call abspath if the path isn't already absolute.
Uploaded perl 3:5.8.3-17