Description of problem: When I run munin it can't update its data files in /var/lib/munin due to a SELinux AVC ('map' access). When I run in permissive mode munin works, but many other AVCs related to the plugins appear. It's hard for me to tell them apart, so I'm reporting them all together. Version-Release number of selected component (if applicable): munin-2.0.33-5.fc27.noarch selinux-policy-3.13.1-283.17.fc27.noarch How reproducible: Deterministic Steps to Reproduce: 1. Setup munin and munin-node. There is nothing special in my setup, except that I change the default plugin list a bit. The AVCs: type=AVC msg=audit(1513420202.281:2246): avc: denied { read } for pid=17710 comm="uptime" name="passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:system_munin _plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420202.282:2247): avc: denied { open } for pid=17710 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:syste m_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420202.282:2248): avc: denied { getattr } for pid=17710 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:sy stem_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420202.282:2249): avc: denied { map } for pid=17710 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system _r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420202.379:2250): avc: denied { map } for pid=17708 comm="/usr/share/muni" path="/var/lib/munin/horatio/horatio-uptime-uptime-g.rrd" dev="sdb1" ino=394595 scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420203.154:2251): avc: denied { write } for pid=17760 comm="who" name="nss" dev="sda2" ino=8601786 scontext=system_u:system_r:system_munin_plug in_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1513420203.155:2252): avc: denied { connectto } for pid=17760 comm="who" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1513420203.533:2253): avc: denied { map } for pid=17708 comm="/usr/share/muni" path="/var/lib/munin/horatio/horatio-diskstats_throughput-sda-rdbytes-g.rrd" dev="sdb1" ino=404148 scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420203.867:2254): avc: denied { read } for pid=17825 comm="postfix_mailque" name="passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420203.868:2255): avc: denied { open } for pid=17825 comm="postfix_mailque" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420203.868:2256): avc: denied { getattr } for pid=17825 comm="postfix_mailque" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420203.868:2257): avc: denied { map } for pid=17825 comm="postfix_mailque" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420203.868:2258): avc: denied { write } for pid=17825 comm="postfix_mailque" name="nss" dev="sda2" ino=8601786 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1513420203.868:2259): avc: denied { connectto } for pid=17825 comm="postfix_mailque" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1513420203.876:2260): avc: denied { read } for pid=17827 comm="postconf" name="unix" dev="proc" ino=4026532057 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420203.876:2261): avc: denied { create } for pid=17827 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1513420204.078:2263): avc: denied { read } for pid=17882 comm="sh" name="passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420204.078:2264): avc: denied { open } for pid=17882 comm="sh" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420204.078:2265): avc: denied { getattr } for pid=17882 comm="sh" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420204.078:2266): avc: denied { map } for pid=17882 comm="sh" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420205.475:2267): avc: denied { read } for pid=17925 comm="selinux_avcstat" name="passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:selinux_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420205.476:2268): avc: denied { open } for pid=17925 comm="selinux_avcstat" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:selinux_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420205.476:2269): avc: denied { getattr } for pid=17925 comm="selinux_avcstat" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:selinux_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513420205.476:2270): avc: denied { map } for pid=17925 comm="selinux_avcstat" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4578139 scontext=system_u:system_r:selinux_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1513451103.657:4166): avc: denied { ioctl } for pid=20456 comm="postconf" path="socket:[147621]" dev="sockfs" ino=147621 ioctlcmd=0x8910 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1513451103.737:4167): avc: denied { ioctl } for pid=20484 comm="postconf" path="socket:[147662]" dev="sockfs" ino=147662 ioctlcmd=0x8910 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=0 Running audit2allow gives: #============= disk_munin_plugin_t ============== allow disk_munin_plugin_t sssd_public_t:file { getattr map open read }; #============= mail_munin_plugin_t ============== allow mail_munin_plugin_t proc_net_t:file read; allow mail_munin_plugin_t self:unix_dgram_socket { create ioctl }; allow mail_munin_plugin_t sssd_public_t:file { getattr map open read }; allow mail_munin_plugin_t sssd_t:unix_stream_socket connectto; allow mail_munin_plugin_t sssd_var_lib_t:sock_file write; #============= munin_t ============== allow munin_t munin_var_lib_t:file map; #============= selinux_munin_plugin_t ============== allow selinux_munin_plugin_t sssd_public_t:file { getattr map open read }; #============= system_munin_plugin_t ============== allow system_munin_plugin_t sssd_t:unix_stream_socket connectto;
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Thanks Lukas, but I tested this update and the solution is partial. Munin seems to run, but I still get some AVCs: type=AVC msg=audit(1516048502.096:316): avc: denied { read } for pid=2763 comm="uptime" name="passwd" dev="sda2" ino=4586871 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1516048502.103:317): avc: denied { open } for pid=2763 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4586871 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1516048502.104:318): avc: denied { getattr } for pid=2763 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4586871 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1516048502.104:319): avc: denied { map } for pid=2763 comm="uptime" path="/var/lib/sss/mc/passwd" dev="sda2" ino=4586871 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 type=AVC msg=audit(1516048505.042:320): avc: denied { write } for pid=2967 comm="who" name="nss" dev="sda2" ino=8601786 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1516048505.043:321): avc: denied { connectto } for pid=2967 comm="who" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 type=AVC msg=audit(1516048505.453:322): avc: denied { create } for pid=2992 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1516048505.454:323): avc: denied { ioctl } for pid=2992 comm="postconf" path="socket:[32879]" dev="sockfs" ino=32879 ioctlcmd=0x8910 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=unix_dgram_socket permissive=1 Running audit2allow gives: #============= mail_munin_plugin_t ============== allow mail_munin_plugin_t self:unix_dgram_socket { create ioctl }; #============= system_munin_plugin_t ============== allow system_munin_plugin_t sssd_public_t:file { getattr map open read }; allow system_munin_plugin_t sssd_t:unix_stream_socket connectto; allow system_munin_plugin_t sssd_var_lib_t:sock_file write;
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.