Bug 253816 - Munin-node generates avc denials when running ethtool/iptables in scripts
Munin-node generates avc denials when running ethtool/iptables in scripts
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-08-22 00:41 EDT by n0dalus
Modified: 2008-01-30 14:20 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:20:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description n0dalus 2007-08-22 00:41:12 EDT
Description of problem:
When munin-node runs plugins that have iptables or ethtool (possibly other tools
as well), selinux denies the processes access to the pipe where data is read,
and denies append to the munin-node log file.

avc: denied { read, write } for comm="ethtool" dev=sockfs egid=495 euid=99
exe="/sbin/ethtool" exit=0 fsgid=495 fsuid=99 gid=495 items=0 name=""
path="socket:[880054]" pid=5282 scontext=user_u:system_r:ifconfig_t:s0 sgid=495
subj=user_u:system_r:ifconfig_t:s0 suid=99 tclass=tcp_socket
tcontext=user_u:system_r:initrc_t:s0 tty=(none) uid=99       

avc: denied { append } for comm="iptables" dev=dm-0 egid=495 euid=0
exe="/sbin/iptables" exit=0 fsgid=495 fsuid=0 gid=495 items=0 name="munin-
node.log" path="/var/log/munin/munin-node.log" pid=5018
scontext=user_u:system_r:iptables_t:s0 sgid=495
subj=user_u:system_r:iptables_t:s0 suid=0 tclass=file
tcontext=user_u:object_r:var_log_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):
Comment 1 Daniel Walsh 2007-08-22 08:41:54 EDT
Sounds like munin-node needs a policy.  You can allow these permissions via 

audit2allow -a -l -M mymunin 
semodule -i mymunin.pp
Comment 2 n0dalus 2007-08-22 09:06:59 EDT
When I use audit2allow, I get:
module muninnode 1.0;

require {
        type ifconfig_t;
        type var_log_t;
        type iptables_t;
        type initrc_t;
        class tcp_socket { read write };
        class file append;

#============= ifconfig_t ==============
allow ifconfig_t initrc_t:tcp_socket { read write };

#============= iptables_t ==============
allow iptables_t initrc_t:tcp_socket { read write };
allow iptables_t var_log_t:file append;

Is there a way of only giving ifconfig_t and iptables_t access to sockets and
logs created by munin-node? At the moment it looks like this will give iptables
and ifconfig access to write to any socket and append to any log.
Comment 3 Daniel Walsh 2007-09-04 15:59:28 EDT
Yes we need a policy written for munin.

If you want to take a stab...

Comment 4 Daniel Walsh 2007-11-19 10:57:56 EST
Fixed in selinux-policy-3.0.8-56.fc8
Comment 5 Daniel Walsh 2008-01-30 14:20:41 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.