248304 – munin-node causes selinux denials to ethtool and smartctl

Bug 248304 - munin-node causes selinux denials to ethtool and smartctl

Summary: munin-node causes selinux denials to ethtool and smartctl

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	munin
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-07-15 18:36 UTC by cje
Modified:	2008-02-25 16:27 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-02-25 16:27:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description cje 2007-07-15 18:36:46 UTC

Description of problem:
i get selinux denials:

avc: denied { read, write } for comm="ethtool" dev=sockfs egid=497 euid=99
exe="/sbin/ethtool" exit=0 fsgid=497 fsuid=99 gid=497 items=0 name="[166497]"
path="socket:[166497]" pid=14486 scontext=system_u:system_r:ifconfig_t:s0
sgid=497 subj=system_u:system_r:ifconfig_t:s0 suid=99 tclass=tcp_socket
tcontext=system_u:system_r:initrc_t:s0 tty=(none) uid=99

and

avc: denied { append } for comm="smartctl" dev=dm-0 egid=497 euid=0
exe="/usr/sbin/smartctl" exit=0 fsgid=497 fsuid=0 gid=497 items=0
name="munin-node.log" path="socket:[166497]" pid=14798
scontext=system_u:system_r:fsadm_t:s0 sgid=497 subj=system_u:system_r:fsadm_t:s0
suid=0 tclass=file tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0
whever munin-node runs.

it's perfectly possible these should be fixed in the apps rather than the policy
but i don't know.

Version-Release number of selected component (if applicable):
munin-node-1.2.5-2.fc7

How reproducible:
every five minutes!

Comment 1 Daniel Walsh 2007-07-16 14:22:06 UTC

The first avc message is caused because munin-node is leaking a file descriptor.
 The tcp_socket file descriptor should be closed on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)

The second one looks like smartctl >> /var/lg/munin-node.log?  Probably need to
confing munin-node.

Comment 2 Kevin Fenzi 2007-12-01 17:03:24 UTC

Sorry for the long long delay here. ;( 

Not sure what do do about these issues off hand. 

The first one is ethtool being called from a munin plugin (perl). 
I don't think there would be any way for it to be leaking a file descriptor
there... 

Not sure what needs configuring in munin-node on the second. Will dig some more...

Comment 3 Kevin Fenzi 2008-02-21 02:49:30 UTC

Sorry (again) for the delay... 

do you still see these errors? There have been some selinux policy changes for
munin, and I am not seeing them here off hand...

Comment 4 cje 2008-02-24 14:10:39 UTC

no, these particular errors have gone.

there are still a few selinux denials when running munin-node but i'm tracking
them in bug 428942

Comment 5 Kevin Fenzi 2008-02-25 16:27:52 UTC

Excellent. Thanks for posting those! :) 

I guess we can close this bug now? Feel free to re-open or file a new one if
there is anything I can do. I will also add myself to CC on 428942. 

Thanks again.

Note You need to log in before you can comment on or make changes to this bug.