Bug 118877 - MRTG fails to run from cron.
MRTG fails to run from cron.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: perl (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Chip Turner
: SELinux
Depends On:
Blocks: FC2Blocker
  Show dependency treegraph
 
Reported: 2004-03-22 02:39 EST by Charles R. Anderson
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-03 15:34:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix findbin when access to cwd is denied (526 bytes, patch)
2004-03-25 14:39 EST, Colin Walters
no flags Details | Diff

  None (edit)
Description Charles R. Anderson 2004-03-22 02:39:58 EST
Description of problem:

MRTG fails to run from cron, and mails errors to root.

Version-Release number of selected component (if applicable):

policy-1.9-5
mrtg-2.10.5-2.1

How reproducible:

100%

Steps to Reproduce:
1. Wait 5 minutes for mrtg cronjob to run
2. Check root mail
3.
  
Actual results:

From root@foo  Sun Mar 21 23:25:02 2004
Date: Sun, 21 Mar 2004 23:25:00 -0500
From: root@foo (Cron Daemon)
To: root@foo
Subject: Cron <root@foo> /usr/bin/mrtg /etc/mrtg/mrtg.cfg
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>

Use of uninitialized value in string at /usr/bin/mrtg line 72.
Empty compile time value given to use lib at /usr/bin/mrtg line 72
Use of uninitialized value in concatenation (.) or string at
/usr/bin/mrtg line 73.
Can't locate MRTG_lib.pm in @INC (@INC contains: /../lib/mrtg2 
/usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3
/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2
/usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2
/usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0
/usr/lib/perl5/vendor_perl .) at /usr/bin/mrtg line 78.
BEGIN failed--compilation aborted at /usr/bin/mrtg line 78.


Expected results:

Additional info:

It appears that some magic is used to find the MRTG_lib.pm:

use FindBin;
use lib "${FindBin::Bin}";
use lib "${FindBin::Bin}${main::SL}..${main::SL}lib${main::SL}mrtg2";

which appears to expand to:

/../lib/mrtg2

when run from cron.  Running from root:sysadmin_r:sysadm_t works, of
course.  Does /usr/lib/mrtg2 need to be relabelled?

[root@foo root]# ls --lcontext -d /usr/lib/mrtg2
drwxr-xr-x  3 system_u:object_r:lib_t          root root 4096 Mar 21
22:18 /usr/lib/mrtg2

[root@foo root]# ls --lcontext /usr/lib/mrtg2
total 424
-rw-r--r--  1 system_u:object_r:lib_t          root root  26178 Mar 12
14:26 BER.pm
-rw-r--r--  1 system_u:object_r:lib_t          root root 218921 Mar 12
14:26 locales_mrtg.pm
-rw-r--r--  1 system_u:object_r:lib_t          root root  69261 Mar 12
14:26 MRTG_lib.pm
drwxr-xr-x  2 system_u:object_r:lib_t          root root   4096 Mar 21
22:18 Pod
-rw-r--r--  1 system_u:object_r:lib_t          root root  33720 Mar 12
14:26 SNMP_Session.pm
-rw-r--r--  1 system_u:object_r:lib_t          root root  38889 Mar 12
14:26 SNMP_util.pm
Comment 1 Charles R. Anderson 2004-03-22 03:08:43 EST
AVC messages when attempting to run /usr/bin/mrtg from user account:

audit(1079943080.358:0): avc:  denied  { getattr } for  pid=3637
exe=/usr/bin/perl path=/usr/lib/mrtg2 dev=hda6 ino=870680
scontext=user_u:user_r:user_t tcontext=system_u:object_r:mrtg_exec_t
tclass=dir
audit(1079943080.358:0): avc:  denied  { search } for  pid=3637
exe=/usr/bin/perl name=mrtg2 dev=hda6 ino=870680
scontext=user_u:user_r:user_t tcontext=system_u:object_r:mrtg_exec_t
tclass=dir
Comment 2 Jim Cornette 2004-03-23 06:54:48 EST
I can confirm the messages to root about mrtg failing. This happens
only with SELinux active.
Comment 3 Colin Walters 2004-03-24 14:18:20 EST
Can you attach your mrtg.cfg?  Have you changed it at all since the
rpm install?
Comment 4 Charles R. Anderson 2004-03-24 15:57:39 EST
I have not changed it from the mrtg.cfg that is included in the rpm
install.  Users who install mrtg, but do not configure/use it, will
get the above e-mail to root every 5 minutes.
Comment 5 Colin Walters 2004-03-24 16:15:48 EST
Ok, I can reproduce this now - I had an older version of mrtg and
policy installed.  So this is actually a regression.
Comment 6 Colin Walters 2004-03-24 18:28:47 EST
I'm pretty sure now this is a bug in FindBin...let me see if I can
come up with a patch.
Comment 7 Colin Walters 2004-03-25 14:39:33 EST
Created attachment 98855 [details]
Fix findbin when access to cwd is denied
Comment 8 Colin Walters 2004-03-25 14:40:17 EST
Reassigning to Perl.
Comment 9 Colin Walters 2004-03-25 14:44:18 EST
For the perl maintainer - the issue here is that mrtg runs in a
restricted domain, mrtg_t.  This domain doesn't have access to the
system administrator's home directory.  However, the mrtg cron job
starts in this directory.  

The FindBin perl module was calling abspath on the detected "bin"
directory, which itself looked at the cwd.  Since access failed, it
immediately returned undef.  This caused the bin directory to not be
detected.

The above patch fixes the FindBin perl module to only call abspath if
the path isn't already absolute.
Comment 10 Colin Walters 2004-04-03 15:34:48 EST
Uploaded perl 3:5.8.3-17

Note You need to log in before you can comment on or make changes to this bug.