Bug 1857381 - munin is generating an avc denial when trying to access /usr/bin/munin-cron
Summary: munin is generating an avc denial when trying to access /usr/bin/munin-cron
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1866680 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-15 18:22 UTC by stan
Modified: 2020-09-12 16:36 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.4-54.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-12 16:36:59 UTC
Type: Bug


Attachments (Terms of Use)

Description stan 2020-07-15 18:22:54 UTC
Description of problem:
Selinux is generating AVCs every few minutes when munin tries to run munin-cron


Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-53.fc31.noarch


How reproducible:
Every time

Steps to Reproduce:
1. Update package from repositories
2.
3.

Actual results:
Jul 15 11:15:17 localhost.localdomain python3[220417]: SELinux is preventing munin-update from append access on the file /var/log/munin/munin-update.log.
                                                       
                                                       *****  Plugin catchall (100. confidence) suggests   **************************
                                                       
                                                       If you believe that munin-update should be allowed append access on the munin-update.log file by default.
                                                       Then you should report this as a bug.
                                                       You can generate a local policy module to allow this access.
                                                       Do
                                                       allow this access for now by executing:
                                                       # ausearch -c 'munin-update' --raw | audit2allow -M my-muninupdate
                                                       # semodule -X 300 -i my-muninupdate.pp

Expected results:
No AVC denials

Additional info:

Started immediately after update to latest version of munin from 2.0.54-1.fc31.noarch to 2.0.63-1.fc31.noarch.

Comment 1 stan 2020-07-15 18:24:41 UTC
There are two AVCs.  Here is the munin-cron version.

Jul 15 11:15:12 localhost.localdomain python3[220417]: SELinux is preventing munin-cron from ioctl access on the file /usr/bin/munin-cron.
                                                       
                                                       *****  Plugin catchall (100. confidence) suggests   **************************
                                                       
                                                       If you believe that munin-cron should be allowed ioctl access on the munin-cron file by default.
                                                       Then you should report this as a bug.
                                                       You can generate a local policy module to allow this access.
                                                       Do
                                                       allow this access for now by executing:
                                                       # ausearch -c 'munin-cron' --raw | audit2allow -M my-munincron
                                                       # semodule -X 300 -i my-munincron.pp

Comment 2 Zdenek Pytela 2020-07-21 15:43:45 UTC
Hi,

Could you please attach the actual denials? To limit the audit records in last 10 minutes:

  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

Apart from the denials, is the software working properly or some services fail?

Comment 3 stan 2020-07-21 16:43:01 UTC
I would, but I took the advice in the messages after I opened the bug, and I'm no longer seeing the denials.  I'll try looking for them in older records.

----
type=AVC msg=audit(07/15/2020 10:55:01.417:2982) : avc:  denied  { ioctl } for  pid=218162 comm=munin-cron path=/usr/bin/munin-cron dev="sda4" ino=6915965 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_exec_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(07/15/2020 10:55:01.418:2983) : avc:  denied  { nnp_transition } for  pid=218172 comm=munin-cron scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:munin_t:s0 tclass=process2 permissive=0 
----
type=SELINUX_ERR msg=audit(07/15/2020 10:55:01.418:2984) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:munin_t:s0 
----
type=AVC msg=audit(07/15/2020 10:55:01.420:2985) : avc:  denied  { ioctl } for  pid=218172 comm=munin-update path=/usr/share/munin/munin-update dev="sda4" ino=3147166 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_exec_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(07/15/2020 10:55:01.955:2997) : avc:  denied  { append } for  pid=218172 comm=munin-update name=munin-update.log dev="sda4" ino=12863651 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file permissive=0 
----

As far is I know, everything is working properly.

Comment 4 Zdenek Pytela 2020-07-22 13:34:07 UTC
Hi,

I can't see the nnp feature turned on by default in munin services, have you made any modifications?

  # systemctl cat munin munin-node

Comment 5 stan 2020-07-22 14:12:30 UTC
No modifications.

# systemctl cat munin munin-node
# /usr/lib/systemd/system/munin.service
[Unit]
Description=Munin server to collect data from nodes
Documentation=man:munin-cron(8)
After=network.target network-online.target munin-node.service

[Service]
User=munin
ExecStart=/usr/bin/munin-cron
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full

# /usr/lib/systemd/system/munin-node.service
[Unit]
Description=Munin Node
Documentation=man:munin-node(1) http://guide.munin-monitoring.org/en/latest/node/index.html
After=network.target network-online.target
PartOf=munin-asyncd.service

[Service]
Type=notify
ExecStart=/usr/sbin/munin-node --foreground
PrivateDevices=no
PrivateTmp=yes
ProtectHome=read-only
ProtectSystem=full
TimeoutStopSec=30s

[Install]
WantedBy=multi-user.target

Comment 6 Zdenek Pytela 2020-07-23 08:06:38 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/308

Comment 7 stan 2020-07-23 16:06:58 UTC
Thanks a lot!

Comment 8 Lukas Vrabec 2020-07-26 15:00:20 UTC
commit 74fe9dcdfe3e67ccf0661b4e3176569bf078bb4e (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela@redhat.com>
Date:   Thu Jul 23 10:04:33 2020 +0200

    Allow munin domain transition with NoNewPrivileges
    
    Resolves: rhbz#1857381

Comment 9 Zdenek Pytela 2020-08-06 07:02:32 UTC
*** Bug 1866680 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2020-08-27 21:52:21 UTC
FEDORA-2020-b2d6cffc6f has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b2d6cffc6f

Comment 11 Fedora Update System 2020-08-28 15:38:09 UTC
FEDORA-2020-b2d6cffc6f has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b2d6cffc6f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b2d6cffc6f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2020-09-12 16:36:59 UTC
FEDORA-2020-b2d6cffc6f has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.