Bug 1266106 - SELinux is preventing /usr/bin/perl from using the 'execmem' accesses on a process.
Summary: SELinux is preventing /usr/bin/perl from using the 'execmem' accesses on a pr...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: munin
Version: 22
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: d. johnson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:90e45505d9f98eec17de9fb90bf...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-09-24 13:33 UTC by zimon
Modified: 2015-10-15 19:38 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-15 19:38:51 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description zimon 2015-09-24 13:33:25 UTC
Description of problem:
Happens when the machine boots up.
SELinux is preventing /usr/bin/perl from using the 'execmem' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that perl should be allowed execmem access on processes labeled munin_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep munin-update /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:munin_t:s0-s0:c0.c1023
Target Context                system_u:system_r:munin_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        munin-update
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.18.4-309.fc21.x86_64
                              perl-5.20.3-327.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.21.fc21.noarch selinux-
                              policy-3.13.1-128.13.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.7-100.fc21.x86_64 #1 SMP Mon
                              Sep 14 21:46:00 UTC 2015 x86_64 x86_64
Alert Count                   203
First Seen                    2015-09-23 21:45:02 EEST
Last Seen                     2015-09-24 16:30:01 EEST
Local ID                      a96db411-d8c9-4cb6-8047-277d7c3a2924

Raw Audit Messages
type=AVC msg=audit(1443101401.774:2241): avc:  denied  { execmem } for  pid=7999 comm="munin-update" scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tclass=process permissive=0


type=SYSCALL msg=audit(1443101401.774:2241): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7f849c464000 a1=33000 a2=7 a3=47e items=0 ppid=7998 pid=7999 auid=478 uid=478 gid=465 euid=478 suid=478 fsuid=478 egid=465 sgid=465 fsgid=465 tty=(none) ses=140 comm=munin-update exe=/usr/bin/perl subj=system_u:system_r:munin_t:s0-s0:c0.c1023 key=(null)

Hash: munin-update,munin_t,munin_t,process,execmem

Version-Release number of selected component:
selinux-policy-3.13.1-105.21.fc21.noarch
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.7-100.fc21.x86_64
type:           libreport

Potential duplicate: bug 913294

Comment 1 Miroslav Grepl 2015-10-12 12:04:42 UTC
http://www.akkadia.org/drepper/selinux-mem.html

Comment 2 d. johnson 2015-10-12 14:11:10 UTC
Why does it show a duplicate of selinux-policy ?  Both f21 and f22.

What version of munin is this related to?

If this system was fedup from f21->f22 you will need to correct your labels for the system.

Comment 3 zimon 2015-10-13 18:19:54 UTC
@johnson: Because I had a broken mixed F21 & F22 system after "dnf system-upgrage". See the bug 1266683.

So there were both F21 and F22 version of packages installed for every software.

I upgraded then to F23 (beta), but still those 'execmem' exceptions come. 
Libreport (abrt-applet) for some reason did not recognize this bug is already reported, but created a new one (bug 1268948) for F23.

Comment 4 d. johnson 2015-10-14 03:35:30 UTC
You will need to clean up your system sufficiently so that someone else can reproduce the problem.

"Bug 1266683 - dnf system-upgrade fails to upgrade cleanly and dnf distro-sync fails to do what is intends to do, downgrade some packages." was CLOSED:CANTFIX.

This package in particular indicates that you have an indeterminate selinux policy.  This is directly related to this bug report.

After you fix your installed packages, you will need to correct your labels.

Again, What version of munin is this related to for this F22 box?  If this is the same, but your f22 box no longer runs f22 - then this bug report can simply be closed.

Comment 5 zimon 2015-10-15 19:38:51 UTC
The versions were:
 munin.noarch 2.0.25-2.fc21                                                    
 munin-common.noarch 2.0.25-2.fc21                                             
 munin-node.noarch 2.0.25-2.fc21       
I see this from /var/log/dnf.log

They were installed in 2015-09-03 and those AVCs started in 2015-09-23 when I tried to upgrade from F21 to F22, but it went somehow wrong and system never recovered.

Those SELinux AVCs may be caused by the weird state the system being between F21 and F22, which started then 2015-09-23

And no, I do not have this system as F21 or F22 anymore, it is upgraded to F23.
The F23 still gets those SELinux AVCs when munin-node is started.

And munin does not work. No graphs are created to http://localhost/munin/ nor to
http://localhost/munin/localhost/localhost/index.html

Munin works on this another F22 machine just by after installed munin and httpd.

The old F22 system is gone where those AVCs came from. Cannot get information about from that instance anymore, so INSUFFICIENT_DATA I guess.
 
I seem to have broken system still after the failed "dnf system-upgrade" although the system now thinks it is Fedora 23 and most of the packages are fc23.

Still I wonder why perl needs execmem access with munin. What is broken in the system or is there something to be worried about like a trojan horse somewhere.


Note You need to log in before you can comment on or make changes to this bug.