118877 – MRTG fails to run from cron.

Bug 118877 - MRTG fails to run from cron.

Summary: MRTG fails to run from cron.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	perl
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Chip Turner
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC2Blocker
TreeView+	depends on / blocked

Reported:	2004-03-22 07:39 UTC by Charles R. Anderson
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2004-04-03 20:34:48 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Fix findbin when access to cwd is denied (526 bytes, patch) 2004-03-25 19:39 UTC, Colin Walters	no flags	Details \| Diff
View All

Description Charles R. Anderson 2004-03-22 07:39:58 UTC

Description of problem:

MRTG fails to run from cron, and mails errors to root.

Version-Release number of selected component (if applicable):

policy-1.9-5
mrtg-2.10.5-2.1

How reproducible:

100%

Steps to Reproduce:
1. Wait 5 minutes for mrtg cronjob to run
2. Check root mail
3.
  
Actual results:

From root@foo  Sun Mar 21 23:25:02 2004
Date: Sun, 21 Mar 2004 23:25:00 -0500
From: root@foo (Cron Daemon)
To: root@foo
Subject: Cron <root@foo> /usr/bin/mrtg /etc/mrtg/mrtg.cfg
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>

Use of uninitialized value in string at /usr/bin/mrtg line 72.
Empty compile time value given to use lib at /usr/bin/mrtg line 72
Use of uninitialized value in concatenation (.) or string at
/usr/bin/mrtg line 73.
Can't locate MRTG_lib.pm in @INC (@INC contains: /../lib/mrtg2 
/usr/lib/perl5/5.8.3/i386-linux-thread-multi /usr/lib/perl5/5.8.3
/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2
/usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2
/usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0
/usr/lib/perl5/vendor_perl .) at /usr/bin/mrtg line 78.
BEGIN failed--compilation aborted at /usr/bin/mrtg line 78.


Expected results:

Additional info:

It appears that some magic is used to find the MRTG_lib.pm:

use FindBin;
use lib "${FindBin::Bin}";
use lib "${FindBin::Bin}${main::SL}..${main::SL}lib${main::SL}mrtg2";

which appears to expand to:

/../lib/mrtg2

when run from cron.  Running from root:sysadmin_r:sysadm_t works, of
course.  Does /usr/lib/mrtg2 need to be relabelled?

[root@foo root]# ls --lcontext -d /usr/lib/mrtg2
drwxr-xr-x  3 system_u:object_r:lib_t          root root 4096 Mar 21
22:18 /usr/lib/mrtg2

[root@foo root]# ls --lcontext /usr/lib/mrtg2
total 424
-rw-r--r--  1 system_u:object_r:lib_t          root root  26178 Mar 12
14:26 BER.pm
-rw-r--r--  1 system_u:object_r:lib_t          root root 218921 Mar 12
14:26 locales_mrtg.pm
-rw-r--r--  1 system_u:object_r:lib_t          root root  69261 Mar 12
14:26 MRTG_lib.pm
drwxr-xr-x  2 system_u:object_r:lib_t          root root   4096 Mar 21
22:18 Pod
-rw-r--r--  1 system_u:object_r:lib_t          root root  33720 Mar 12
14:26 SNMP_Session.pm
-rw-r--r--  1 system_u:object_r:lib_t          root root  38889 Mar 12
14:26 SNMP_util.pm

Comment 1 Charles R. Anderson 2004-03-22 08:08:43 UTC

AVC messages when attempting to run /usr/bin/mrtg from user account:

audit(1079943080.358:0): avc:  denied  { getattr } for  pid=3637
exe=/usr/bin/perl path=/usr/lib/mrtg2 dev=hda6 ino=870680
scontext=user_u:user_r:user_t tcontext=system_u:object_r:mrtg_exec_t
tclass=dir
audit(1079943080.358:0): avc:  denied  { search } for  pid=3637
exe=/usr/bin/perl name=mrtg2 dev=hda6 ino=870680
scontext=user_u:user_r:user_t tcontext=system_u:object_r:mrtg_exec_t
tclass=dir

Comment 2 Jim Cornette 2004-03-23 11:54:48 UTC

I can confirm the messages to root about mrtg failing. This happens
only with SELinux active.

Comment 3 Colin Walters 2004-03-24 19:18:20 UTC

Can you attach your mrtg.cfg?  Have you changed it at all since the
rpm install?

Comment 4 Charles R. Anderson 2004-03-24 20:57:39 UTC

I have not changed it from the mrtg.cfg that is included in the rpm
install.  Users who install mrtg, but do not configure/use it, will
get the above e-mail to root every 5 minutes.

Comment 5 Colin Walters 2004-03-24 21:15:48 UTC

Ok, I can reproduce this now - I had an older version of mrtg and
policy installed.  So this is actually a regression.

Comment 6 Colin Walters 2004-03-24 23:28:47 UTC

I'm pretty sure now this is a bug in FindBin...let me see if I can
come up with a patch.

Comment 7 Colin Walters 2004-03-25 19:39:33 UTC

Created attachment 98855 [details]
Fix findbin when access to cwd is denied

Comment 8 Colin Walters 2004-03-25 19:40:17 UTC

Reassigning to Perl.

Comment 9 Colin Walters 2004-03-25 19:44:18 UTC

For the perl maintainer - the issue here is that mrtg runs in a
restricted domain, mrtg_t.  This domain doesn't have access to the
system administrator's home directory.  However, the mrtg cron job
starts in this directory.  

The FindBin perl module was calling abspath on the detected "bin"
directory, which itself looked at the cwd.  Since access failed, it
immediately returned undef.  This caused the bin directory to not be
detected.

The above patch fixes the FindBin perl module to only call abspath if
the path isn't already absolute.

Comment 10 Colin Walters 2004-04-03 20:34:48 UTC

Uploaded perl 3:5.8.3-17

Note You need to log in before you can comment on or make changes to this bug.