Bug 474202 - Munin scripts has difficulties reading logfiles
Munin scripts has difficulties reading logfiles
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-02 13:57 EST by Kim Bisgaard
Modified: 2009-11-18 08:04 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:04:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kim Bisgaard 2008-12-02 13:57:59 EST
Description of problem:
Munin trips off selinux in many instances:

=======================================================
SELinux is preventing postfix_mailvol (munin_t) "read" to ./maillog (var_log_t).
-------------------------------------------------------
node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228243507.943:282): avc: denied { read } for pid=28685 comm="postfix_mailvol" name="maillog" dev=sda3 ino=69455 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228243507.943:282): arch=40000003 syscall=5 success=no exit=-13 a0=91cc574 a1=8000 a2=0 a3=8000 items=0 ppid=27857 pid=28685 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="postfix_mailvol" exe="/usr/bin/perl" subj=system_u:system_r:munin_t:s0 key=(null) 

=======================================================
SELinux is preventing find (munin_t) "getattr" to /var/spool/clientmqueue (mqueue_spool_t). 
-------------------------------------------------------
node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228243806.491:293): avc: denied { getattr } for pid=18105 comm="find" path="/var/spool/clientmqueue" dev=sda3 ino=65626 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228243806.491:293): arch=40000003 syscall=300 success=no exit=-13 a0=ffffff9c a1=8331cfc a2=8331c9c a3=100 items=0 ppid=18104 pid=18105 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="find" exe="/bin/find" subj=system_u:system_r:munin_t:s0 key=(null) 

=======================================================
SELinux is preventing postfix_mailque (munin_t) "getattr" to /var/spool/postfix (postfix_spool_t). 
-------------------------------------------------------
node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228243805.634:291): avc: denied { getattr } for pid=18062 comm="postfix_mailque" path="/var/spool/postfix" dev=sda3 ino=65632 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228243805.634:291): arch=40000003 syscall=195 success=no exit=-13 a0=88d9b30 a1=bf903704 a2=41bff4 a3=88d9b42 items=0 ppid=17331 pid=18062 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="postfix_mailque" exe="/bin/bash" subj=system_u:system_r:munin_t:s0 key=(null) 

=======================================================
SELinux is preventing df (munin_t) "search" to ./nfs (var_lib_nfs_t). 
-------------------------------------------------------
node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228243807.443:295): avc: denied { search } for pid=18175 comm="df" name="nfs" dev=sda3 ino=65436 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228243807.443:295): arch=40000003 syscall=268 success=no exit=-13 a0=98364d8 a1=54 a2=bf962e48 a3=0 items=0 ppid=18174 pid=18175 auid=4294967295 uid=99 gid=485 euid=99 suid=99 fsuid=99 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="df" exe="/bin/df" subj=system_u:system_r:munin_t:s0 key=(null) 



Version-Release number of selected component (if applicable):
selinux-policy-3.5.13-26.fc10
munin-node-1.2.6-3.fc10.noarch
Comment 1 Daniel Walsh 2008-12-02 15:07:45 EST
So does munin need to be able to read all log files?  

Does it need to read all postfix spool?

Could you put munin into permissive mode to gather all avcs

# semanage permissive -a munin_t

Once we have a fix you can remove permissive mode by executing

# semanage permissive -d munin_t
Comment 2 Kim Bisgaard 2008-12-03 13:14:55 EST
SELinux is preventing postfix_mailvol (munin_t) "read" to ./maillog (var_log_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327808.164:218): avc:  denied  { read } for  pid=21459 comm="postfix_mailvol" name="maillog" dev=sda3 ino=69455 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327808.164:218): arch=40000003 syscall=5 success=yes exit=4 a0=9f95574 a1=8000 a2=0 a3=8000 items=0 ppid=20720 pid=21459 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="postfix_mailvol" exe="/usr/bin/perl" subj=system_u:system_r:munin_t:s0 key=(null)



SELinux is preventing postfix_mailque (munin_t) "getattr" to /var/spool/postfix
(postfix_spool_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327806.190:209): avc:  denied  { getattr } for  pid=21257 comm="postfix_mailque" path="/var/spool/postfix" dev=sda3 ino=65632 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327806.190:209): arch=40000003 syscall=195 success=yes exit=0 a0=87fab30 a1=bfeb0cb4 a2=41bff4 a3=87fab42 items=0 ppid=20720 pid=21257 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="postfix_mailque" exe="/bin/bash" subj=system_u:system_r:munin_t:s0 key=(null)


SELinux is preventing postfix_mailque (munin_t) "search" to ./postfix
(postfix_spool_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327806.192:210): avc:  denied  { search } for  pid=21257 comm="postfix_mailque" name="postfix" dev=sda3 ino=65632 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327806.192:210): arch=40000003 syscall=12 success=yes exit=0 a0=87fab30 a1=19 a2=0 a3=87fab30 items=0 ppid=20720 pid=21257 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="postfix_mailque" exe="/bin/bash" subj=system_u:system_r:munin_t:s0 key=(null)


SELinux is preventing find (munin_t) "read" to ./postfix (postfix_spool_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327806.200:211): avc:  denied  { read } for  pid=21261 comm="find" name="postfix" dev=sda3 ino=65632 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327806.200:211): arch=40000003 syscall=5 success=yes exit=4 a0=806924b a1=8000 a2=0 a3=8000 items=0 ppid=21260 pid=21261 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="find" exe="/bin/find" subj=system_u:system_r:munin_t:s0 key=(null)


SELinux is preventing postfix_mailque (munin_t) "getattr" to
/var/spool/postfix/maildrop (postfix_spool_maildrop_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327806.214:212): avc:  denied  { getattr } for  pid=21268 comm="postfix_mailque" path="/var/spool/postfix/maildrop" dev=sda3 ino=65641 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327806.214:212): arch=40000003 syscall=195 success=yes exit=0 a0=87fbf58 a1=bfeb0530 a2=41bff4 a3=87fbf58 items=0 ppid=21267 pid=21268 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="postfix_mailque" exe="/bin/bash" subj=system_u:system_r:munin_t:s0 key=(null)


SELinux is preventing find (munin_t) "read" to ./maildrop
(postfix_spool_maildrop_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327806.220:213): avc:  denied  { read } for  pid=21269 comm="find" name="maildrop" dev=sda3 ino=65641 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327806.220:213): arch=40000003 syscall=5 success=yes exit=6 a0=8c83968 a1=98800 a2=15 a3=0 items=0 ppid=21268 pid=21269 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="find" exe="/bin/find" subj=system_u:system_r:munin_t:s0 key=(null)


SELinux is preventing find (munin_t) "search" to ./maildrop
(postfix_spool_maildrop_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327806.220:214): avc:  denied  { search } for  pid=21269 comm="find" name="maildrop" dev=sda3 ino=65641 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327806.220:214): arch=40000003 syscall=133 success=yes exit=0 a0=6 a1=6 a2=0 a3=8c83910 items=0 ppid=21268 pid=21269 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="find" exe="/bin/find" subj=system_u:system_r:munin_t:s0 key=(null)


SELinux is preventing find (munin_t) "getattr" to /var/spool/clientmqueue
(mqueue_spool_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327806.745:215): avc:  denied  { getattr } for  pid=21300 comm="find" path="/var/spool/clientmqueue" dev=sda3 ino=65626 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327806.745:215): arch=40000003 syscall=300 success=yes exit=0 a0=ffffff9c a1=87d0d04 a2=87d0ca4 a3=100 items=0 ppid=21299 pid=21300 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="find" exe="/bin/find" subj=system_u:system_r:munin_t:s0 key=(null)


SELinux is preventing find (munin_t) "read" to ./clientmqueue (mqueue_spool_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327806.745:216): avc:  denied  { read } for  pid=21300 comm="find" name="clientmqueue" dev=sda3 ino=65626 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327806.745:216): arch=40000003 syscall=5 success=yes exit=5 a0=87cfab8 a1=98800 a2=bfd3f568 a3=0 items=0 ppid=21299 pid=21300 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="find" exe="/bin/find" subj=system_u:system_r:munin_t:s0 key=(null)


SELinux is preventing find (munin_t) "search" to ./clientmqueue
(mqueue_spool_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327806.745:217): avc:  denied  { search } for  pid=21300 comm="find" name="clientmqueue" dev=sda3 ino=65626 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327806.745:217): arch=40000003 syscall=133 success=yes exit=0 a0=5 a1=5 a2=0 a3=87cfa60 items=0 ppid=21299 pid=21300 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="find" exe="/bin/find" subj=system_u:system_r:munin_t:s0 key=(null)


SELinux is preventing df (munin_t) "search" to ./nfs (var_lib_nfs_t).

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1228327506.203:201): avc:  denied  { search } for  pid=31986 comm="df" name="nfs" dev=sda3 ino=65436 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir

node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1228327506.203:201): arch=40000003 syscall=268 success=yes exit=0 a0=88704d8 a1=54 a2=bf8fe5e8 a3=0 items=0 ppid=31985 pid=31986 auid=4294967295 uid=99 gid=485 euid=99 suid=99 fsuid=99 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="df" exe="/bin/df" subj=system_u:system_r:munin_t:s0 key=(null)
Comment 3 Daniel Walsh 2008-12-08 16:28:28 EST
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-33.fc10
Comment 4 Kim Bisgaard 2008-12-12 13:58:42 EST
Thx but,

with selinux-policy-targeted-3.5.13-34.fc10 installed i still get these:
SELinux is preventing postfix_mailvol (munin_t) "read" to ./maillog (var_log_t). 
SELinux is preventing postfix_mailque (munin_t) "getattr" to /var/spool/postfix/maildrop (postfix_spool_maildrop_t).
SELinux is preventing find (munin_t) "read" to ./maildrop (postfix_spool_maildrop_t). 
SELinux is preventing find (munin_t) "search" to ./maildrop (postfix_spool_maildrop_t). 

Regards!
Comment 5 Daniel Walsh 2008-12-18 11:34:22 EST
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-35.fc10
Comment 6 Kim Bisgaard 2008-12-26 08:33:54 EST
Works fine, thanks!

One thing though - now I get new ones - the script does the following (pseudo code by me):
test -d /var/spool/postfix/{deferred,active,maildrop,incoming,corrupt,hold} 
find /var/spool/postfix/{deferred,active,maildrop,incoming,corrupt,hold} -type f 

It results in:
SELinux is preventing find (munin_t) "getattr" to /var/spool/postfix/deferred/1/12719110A6 (postfix_spool_t). 

node=kim.alleroedderne.adsl.dk type=AVC msg=audit(1230190453.232:84): avc: denied { getattr } for pid=30711 comm="find" path="/var/spool/postfix/deferred/1/12719110A6" dev=sda3 ino=69798 scontext=system_u:system_r:munin_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file node=kim.alleroedderne.adsl.dk type=SYSCALL msg=audit(1230190453.232:84): arch=40000003 syscall=300 success=yes exit=0 a0=ffffff9c a1=9ee511c a2=9ee50bc a3=100 items=0 ppid=30710 pid=30711 auid=4294967295 uid=0 gid=485 euid=0 suid=0 fsuid=0 egid=485 sgid=485 fsgid=485 tty=(none) ses=4294967295 comm="find" exe="/bin/find" subj=system_u:system_r:munin_t:s0 key=(null) 

All these subdirectories are postfix_spool_t except for maildrop which is postfix_spool_maildrop_t
Comment 7 Daniel Walsh 2008-12-27 07:24:03 EST
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-37.fc10
Comment 8 Bug Zapper 2009-11-18 05:16:30 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 9 Daniel Walsh 2009-11-18 08:04:32 EST
Closing as closed in the current release.

Note You need to log in before you can comment on or make changes to this bug.