Bug 438825 - Munin-node won't start because SELinux prevents it from binding to port 4949
Munin-node won't start because SELinux prevents it from binding to port 4949
Status: CLOSED DUPLICATE of bug 428942
Product: Fedora
Classification: Fedora
Component: munin (Show other bugs)
8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kevin Fenzi
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-25 10:16 EDT by Tom Moertel
Modified: 2008-03-25 11:47 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-25 11:47:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom Moertel 2008-03-25 10:16:49 EDT
Description of problem:


Version-Release number of selected component (if applicable):
munin-node-1.2.5-4.fc8

How reproducible:
I would expect it to be easy to reproduce until the right SELinux policy
adjustments are made.

Steps to Reproduce:
1.  Install F8 w/ updates in SELinux enforcing mode (the default).
2.  Install munin-node: yum install munin munin-node
3.  Attempt to start munin node:  /sbin/service munin-node start
4.  Check status:  /sbin/service munin-node status

Actual results:

# /sbin/service munin-node status
munin-node dead but subsys locked

Message log contains:  setroubleshoot: SELinux is preventing munin-node
(munin_t) "name_bind" to <Unknown> (munin_port_t). For complete SELinux
messages. run sealert -l a19998d2-e5fc-4aef-89ed-cd75f30b672b


Expected results:

That munin-node would be running.


Additional info:

Running the suggested sealert command yields:

[root@beryllium ~]# sealert -l a19998d2-e5fc-4aef-89ed-cd75f30b672b

Summary:

SELinux is preventing munin-node (munin_t) "name_bind" to <Unknown>
(munin_port_t).

Detailed Description:

SELinux denied access requested by munin-node. It is not expected that this
access is required by munin-node and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:munin_t:s0
Target Context                system_u:object_r:munin_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        munin-node
Source Path                   /usr/bin/perl
Port                          4949
Host                          beryllium.hq.REDACTED.com
Source RPM Packages           perl-5.8.8-36.fc8
Target RPM Packages
Policy RPM                    selinux-policy-3.0.8-93.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     beryllium.hq.REDACTED.com
Platform                      Linux beryllium.hq.REDACTED.com 2.6.24.3-34.fc8
                              #1 SMP Wed Mar 12 16:51:49 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Mar 25 09:59:36 2008
Last Seen                     Tue Mar 25 09:59:36 2008
Local ID                      a19998d2-e5fc-4aef-89ed-cd75f30b672b
Line Numbers

Raw Audit Messages

host=beryllium.hq.REDACTED.com type=AVC msg=audit(1206453576.530:1061): avc: 
denied  { name_bind } for  pid=28616 comm="munin-node" src=4949
scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:munin_port_t:s0
tclass=tcp_socket

host=beryllium.hq.REDACTED.com type=SYSCALL msg=audit(1206453576.530:1061):
arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=b51800 a2=10 a3=3e2b1529f0
items=0 ppid=1 pid=28616 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="munin-node" exe="/usr/bin/perl"
subj=system_u:system_r:munin_t:s0 key=(null)
Comment 1 Kevin Fenzi 2008-03-25 11:47:58 EDT
This seems to be a duplicate of bug 428942.

*** This bug has been marked as a duplicate of 428942 ***

Note You need to log in before you can comment on or make changes to this bug.