Bug 248304 - munin-node causes selinux denials to ethtool and smartctl
Summary: munin-node causes selinux denials to ethtool and smartctl
Alias: None
Product: Fedora
Classification: Fedora
Component: munin   
(Show other bugs)
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-07-15 18:36 UTC by cje
Modified: 2008-02-25 16:27 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-25 16:27:52 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description cje 2007-07-15 18:36:46 UTC
Description of problem:
i get selinux denials:

avc: denied { read, write } for comm="ethtool" dev=sockfs egid=497 euid=99
exe="/sbin/ethtool" exit=0 fsgid=497 fsuid=99 gid=497 items=0 name="[166497]"
path="socket:[166497]" pid=14486 scontext=system_u:system_r:ifconfig_t:s0
sgid=497 subj=system_u:system_r:ifconfig_t:s0 suid=99 tclass=tcp_socket
tcontext=system_u:system_r:initrc_t:s0 tty=(none) uid=99


avc: denied { append } for comm="smartctl" dev=dm-0 egid=497 euid=0
exe="/usr/sbin/smartctl" exit=0 fsgid=497 fsuid=0 gid=497 items=0
name="munin-node.log" path="socket:[166497]" pid=14798
scontext=system_u:system_r:fsadm_t:s0 sgid=497 subj=system_u:system_r:fsadm_t:s0
suid=0 tclass=file tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0
whever munin-node runs.

it's perfectly possible these should be fixed in the apps rather than the policy
but i don't know.

Version-Release number of selected component (if applicable):

How reproducible:
every five minutes!

Comment 1 Daniel Walsh 2007-07-16 14:22:06 UTC
The first avc message is caused because munin-node is leaking a file descriptor.
 The tcp_socket file descriptor should be closed on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)

The second one looks like smartctl >> /var/lg/munin-node.log?  Probably need to
confing munin-node.

Comment 2 Kevin Fenzi 2007-12-01 17:03:24 UTC
Sorry for the long long delay here. ;( 

Not sure what do do about these issues off hand. 

The first one is ethtool being called from a munin plugin (perl). 
I don't think there would be any way for it to be leaking a file descriptor

Not sure what needs configuring in munin-node on the second. Will dig some more... 

Comment 3 Kevin Fenzi 2008-02-21 02:49:30 UTC
Sorry (again) for the delay... 

do you still see these errors? There have been some selinux policy changes for
munin, and I am not seeing them here off hand... 

Comment 4 cje 2008-02-24 14:10:39 UTC
no, these particular errors have gone.

there are still a few selinux denials when running munin-node but i'm tracking
them in bug 428942

Comment 5 Kevin Fenzi 2008-02-25 16:27:52 UTC
Excellent. Thanks for posting those! :) 

I guess we can close this bug now? Feel free to re-open or file a new one if
there is anything I can do. I will also add myself to CC on 428942. 

Thanks again. 

Note You need to log in before you can comment on or make changes to this bug.