Bug 253816 - Munin-node generates avc denials when running ethtool/iptables in scripts
Summary: Munin-node generates avc denials when running ethtool/iptables in scripts
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-22 04:41 UTC by n0dalus
Modified: 2008-01-30 19:20 UTC (History)
1 user (show)

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2008-01-30 19:20:41 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description n0dalus 2007-08-22 04:41:12 UTC 
Description of problem:
When munin-node runs plugins that have iptables or ethtool (possibly other tools
as well), selinux denies the processes access to the pipe where data is read,
and denies append to the munin-node log file.

avc: denied { read, write } for comm="ethtool" dev=sockfs egid=495 euid=99
exe="/sbin/ethtool" exit=0 fsgid=495 fsuid=99 gid=495 items=0 name=""
path="socket:[880054]" pid=5282 scontext=user_u:system_r:ifconfig_t:s0 sgid=495
subj=user_u:system_r:ifconfig_t:s0 suid=99 tclass=tcp_socket
tcontext=user_u:system_r:initrc_t:s0 tty=(none) uid=99       

avc: denied { append } for comm="iptables" dev=dm-0 egid=495 euid=0
exe="/sbin/iptables" exit=0 fsgid=495 fsuid=0 gid=495 items=0 name="munin-
node.log" path="/var/log/munin/munin-node.log" pid=5018
scontext=user_u:system_r:iptables_t:s0 sgid=495
subj=user_u:system_r:iptables_t:s0 suid=0 tclass=file
tcontext=user_u:object_r:var_log_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):
munin-node-1.2.5-2.fc7
selinux-policy-targeted-2.6.4-33.fc7
Comment 1 Daniel Walsh 2007-08-22 12:41:54 UTC 
Sounds like munin-node needs a policy.  You can allow these permissions via 

audit2allow -a -l -M mymunin 
semodule -i mymunin.pp
Comment 2 n0dalus 2007-08-22 13:06:59 UTC 
When I use audit2allow, I get:
module muninnode 1.0;

require {
        type ifconfig_t;
        type var_log_t;
        type iptables_t;
        type initrc_t;
        class tcp_socket { read write };
        class file append;
}

#============= ifconfig_t ==============
allow ifconfig_t initrc_t:tcp_socket { read write };

#============= iptables_t ==============
allow iptables_t initrc_t:tcp_socket { read write };
allow iptables_t var_log_t:file append;

Is there a way of only giving ifconfig_t and iptables_t access to sockets and
logs created by munin-node? At the moment it looks like this will give iptables
and ifconfig access to write to any socket and append to any log.
Comment 3 Daniel Walsh 2007-09-04 19:59:28 UTC 
Yes we need a policy written for munin.

If you want to take a stab...

http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/
Comment 4 Daniel Walsh 2007-11-19 15:57:56 UTC 
Fixed in selinux-policy-3.0.8-56.fc8
Comment 5 Daniel Walsh 2008-01-30 19:20:41 UTC 
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.
Note You need to log in before you can comment on or make changes to this bug.