Bug 248304 - munin-node causes selinux denials to ethtool and smartctl
munin-node causes selinux denials to ethtool and smartctl
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: munin (Show other bugs)
7
All Linux
low Severity medium
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-15 14:36 EDT by cje
Modified: 2008-02-25 11:27 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-25 11:27:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description cje 2007-07-15 14:36:46 EDT
Description of problem:
i get selinux denials:

avc: denied { read, write } for comm="ethtool" dev=sockfs egid=497 euid=99
exe="/sbin/ethtool" exit=0 fsgid=497 fsuid=99 gid=497 items=0 name="[166497]"
path="socket:[166497]" pid=14486 scontext=system_u:system_r:ifconfig_t:s0
sgid=497 subj=system_u:system_r:ifconfig_t:s0 suid=99 tclass=tcp_socket
tcontext=system_u:system_r:initrc_t:s0 tty=(none) uid=99

and

avc: denied { append } for comm="smartctl" dev=dm-0 egid=497 euid=0
exe="/usr/sbin/smartctl" exit=0 fsgid=497 fsuid=0 gid=497 items=0
name="munin-node.log" path="socket:[166497]" pid=14798
scontext=system_u:system_r:fsadm_t:s0 sgid=497 subj=system_u:system_r:fsadm_t:s0
suid=0 tclass=file tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0
whever munin-node runs.

it's perfectly possible these should be fixed in the apps rather than the policy
but i don't know.

Version-Release number of selected component (if applicable):
munin-node-1.2.5-2.fc7

How reproducible:
every five minutes!
Comment 1 Daniel Walsh 2007-07-16 10:22:06 EDT
The first avc message is caused because munin-node is leaking a file descriptor.
 The tcp_socket file descriptor should be closed on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)

The second one looks like smartctl >> /var/lg/munin-node.log?  Probably need to
confing munin-node.
Comment 2 Kevin Fenzi 2007-12-01 12:03:24 EST
Sorry for the long long delay here. ;( 

Not sure what do do about these issues off hand. 

The first one is ethtool being called from a munin plugin (perl). 
I don't think there would be any way for it to be leaking a file descriptor
there... 

Not sure what needs configuring in munin-node on the second. Will dig some more... 
Comment 3 Kevin Fenzi 2008-02-20 21:49:30 EST
Sorry (again) for the delay... 

do you still see these errors? There have been some selinux policy changes for
munin, and I am not seeing them here off hand... 

Comment 4 cje 2008-02-24 09:10:39 EST
no, these particular errors have gone.

there are still a few selinux denials when running munin-node but i'm tracking
them in bug 428942
Comment 5 Kevin Fenzi 2008-02-25 11:27:52 EST
Excellent. Thanks for posting those! :) 

I guess we can close this bug now? Feel free to re-open or file a new one if
there is anything I can do. I will also add myself to CC on 428942. 

Thanks again. 

Note You need to log in before you can comment on or make changes to this bug.