Description of problem: Happens when the machine boots up. SELinux is preventing /usr/bin/perl from using the 'execmem' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that perl should be allowed execmem access on processes labeled munin_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep munin-update /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:munin_t:s0-s0:c0.c1023 Target Context system_u:system_r:munin_t:s0-s0:c0.c1023 Target Objects Unknown [ process ] Source munin-update Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.18.4-309.fc21.x86_64 perl-5.20.3-327.fc22.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-105.21.fc21.noarch selinux- policy-3.13.1-128.13.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.7-100.fc21.x86_64 #1 SMP Mon Sep 14 21:46:00 UTC 2015 x86_64 x86_64 Alert Count 203 First Seen 2015-09-23 21:45:02 EEST Last Seen 2015-09-24 16:30:01 EEST Local ID a96db411-d8c9-4cb6-8047-277d7c3a2924 Raw Audit Messages type=AVC msg=audit(1443101401.774:2241): avc: denied { execmem } for pid=7999 comm="munin-update" scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tclass=process permissive=0 type=SYSCALL msg=audit(1443101401.774:2241): arch=x86_64 syscall=mprotect success=no exit=EACCES a0=7f849c464000 a1=33000 a2=7 a3=47e items=0 ppid=7998 pid=7999 auid=478 uid=478 gid=465 euid=478 suid=478 fsuid=478 egid=465 sgid=465 fsgid=465 tty=(none) ses=140 comm=munin-update exe=/usr/bin/perl subj=system_u:system_r:munin_t:s0-s0:c0.c1023 key=(null) Hash: munin-update,munin_t,munin_t,process,execmem Version-Release number of selected component: selinux-policy-3.13.1-105.21.fc21.noarch selinux-policy-3.13.1-128.13.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.7-100.fc21.x86_64 type: libreport Potential duplicate: bug 913294
http://www.akkadia.org/drepper/selinux-mem.html
Why does it show a duplicate of selinux-policy ? Both f21 and f22. What version of munin is this related to? If this system was fedup from f21->f22 you will need to correct your labels for the system.
@johnson: Because I had a broken mixed F21 & F22 system after "dnf system-upgrage". See the bug 1266683. So there were both F21 and F22 version of packages installed for every software. I upgraded then to F23 (beta), but still those 'execmem' exceptions come. Libreport (abrt-applet) for some reason did not recognize this bug is already reported, but created a new one (bug 1268948) for F23.
You will need to clean up your system sufficiently so that someone else can reproduce the problem. "Bug 1266683 - dnf system-upgrade fails to upgrade cleanly and dnf distro-sync fails to do what is intends to do, downgrade some packages." was CLOSED:CANTFIX. This package in particular indicates that you have an indeterminate selinux policy. This is directly related to this bug report. After you fix your installed packages, you will need to correct your labels. Again, What version of munin is this related to for this F22 box? If this is the same, but your f22 box no longer runs f22 - then this bug report can simply be closed.
The versions were: munin.noarch 2.0.25-2.fc21 munin-common.noarch 2.0.25-2.fc21 munin-node.noarch 2.0.25-2.fc21 I see this from /var/log/dnf.log They were installed in 2015-09-03 and those AVCs started in 2015-09-23 when I tried to upgrade from F21 to F22, but it went somehow wrong and system never recovered. Those SELinux AVCs may be caused by the weird state the system being between F21 and F22, which started then 2015-09-23 And no, I do not have this system as F21 or F22 anymore, it is upgraded to F23. The F23 still gets those SELinux AVCs when munin-node is started. And munin does not work. No graphs are created to http://localhost/munin/ nor to http://localhost/munin/localhost/localhost/index.html Munin works on this another F22 machine just by after installed munin and httpd. The old F22 system is gone where those AVCs came from. Cannot get information about from that instance anymore, so INSUFFICIENT_DATA I guess. I seem to have broken system still after the failed "dnf system-upgrade" although the system now thinks it is Fedora 23 and most of the packages are fc23. Still I wonder why perl needs execmem access with munin. What is broken in the system or is there something to be worried about like a trojan horse somewhere.