Hide Forgot
Description of problem: Selinux is generating AVCs every few minutes when munin tries to run munin-cron Version-Release number of selected component (if applicable): selinux-policy-3.14.4-53.fc31.noarch How reproducible: Every time Steps to Reproduce: 1. Update package from repositories 2. 3. Actual results: Jul 15 11:15:17 localhost.localdomain python3[220417]: SELinux is preventing munin-update from append access on the file /var/log/munin/munin-update.log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that munin-update should be allowed append access on the munin-update.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'munin-update' --raw | audit2allow -M my-muninupdate # semodule -X 300 -i my-muninupdate.pp Expected results: No AVC denials Additional info: Started immediately after update to latest version of munin from 2.0.54-1.fc31.noarch to 2.0.63-1.fc31.noarch.
There are two AVCs. Here is the munin-cron version. Jul 15 11:15:12 localhost.localdomain python3[220417]: SELinux is preventing munin-cron from ioctl access on the file /usr/bin/munin-cron. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that munin-cron should be allowed ioctl access on the munin-cron file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'munin-cron' --raw | audit2allow -M my-munincron # semodule -X 300 -i my-munincron.pp
Hi, Could you please attach the actual denials? To limit the audit records in last 10 minutes: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent Apart from the denials, is the software working properly or some services fail?
I would, but I took the advice in the messages after I opened the bug, and I'm no longer seeing the denials. I'll try looking for them in older records. ---- type=AVC msg=audit(07/15/2020 10:55:01.417:2982) : avc: denied { ioctl } for pid=218162 comm=munin-cron path=/usr/bin/munin-cron dev="sda4" ino=6915965 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_exec_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(07/15/2020 10:55:01.418:2983) : avc: denied { nnp_transition } for pid=218172 comm=munin-cron scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:munin_t:s0 tclass=process2 permissive=0 ---- type=SELINUX_ERR msg=audit(07/15/2020 10:55:01.418:2984) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:munin_t:s0 ---- type=AVC msg=audit(07/15/2020 10:55:01.420:2985) : avc: denied { ioctl } for pid=218172 comm=munin-update path=/usr/share/munin/munin-update dev="sda4" ino=3147166 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_exec_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(07/15/2020 10:55:01.955:2997) : avc: denied { append } for pid=218172 comm=munin-update name=munin-update.log dev="sda4" ino=12863651 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file permissive=0 ---- As far is I know, everything is working properly.
Hi, I can't see the nnp feature turned on by default in munin services, have you made any modifications? # systemctl cat munin munin-node
No modifications. # systemctl cat munin munin-node # /usr/lib/systemd/system/munin.service [Unit] Description=Munin server to collect data from nodes Documentation=man:munin-cron(8) After=network.target network-online.target munin-node.service [Service] User=munin ExecStart=/usr/bin/munin-cron PrivateDevices=yes PrivateTmp=yes ProtectHome=yes ProtectSystem=full # /usr/lib/systemd/system/munin-node.service [Unit] Description=Munin Node Documentation=man:munin-node(1) http://guide.munin-monitoring.org/en/latest/node/index.html After=network.target network-online.target PartOf=munin-asyncd.service [Service] Type=notify ExecStart=/usr/sbin/munin-node --foreground PrivateDevices=no PrivateTmp=yes ProtectHome=read-only ProtectSystem=full TimeoutStopSec=30s [Install] WantedBy=multi-user.target
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/308
Thanks a lot!
commit 74fe9dcdfe3e67ccf0661b4e3176569bf078bb4e (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela@redhat.com> Date: Thu Jul 23 10:04:33 2020 +0200 Allow munin domain transition with NoNewPrivileges Resolves: rhbz#1857381
*** Bug 1866680 has been marked as a duplicate of this bug. ***
FEDORA-2020-b2d6cffc6f has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b2d6cffc6f
FEDORA-2020-b2d6cffc6f has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b2d6cffc6f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b2d6cffc6f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-b2d6cffc6f has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.