Bug 500987 - pings by munin are forbidden by selinux
Summary: pings by munin are forbidden by selinux
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.3
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL: http://munin.projects.linpro.no/ticke...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-15 11:35 UTC by Martin Jürgens
Modified: 2009-05-15 16:39 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-15 15:55:55 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Martin Jürgens 2009-05-15 11:35:20 UTC
Description of problem:
i'm doing some pings via munin. but they are forbidden by selinux:

May 15 15:20:02 Hypnos kernel: type=1400 audit(1242393602.670:4): avc:  denied  { read write } for  pid=2995 comm="ethtool" path="socket:[15673]" dev=sockfs ino=15673 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=tcp_socket
May 15 15:20:07 Hypnos kernel: type=1400 audit(1242393607.561:5): avc:  denied  { read write } for  pid=3121 comm="ping" path="socket:[15673]" dev=sockfs ino=15673 scontext=root:system_r:ping_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=tcp_socket

Comment 1 Daniel Walsh 2009-05-15 15:55:40 UTC
This is a leaked file descriptor in munin.  It opens it's tcp_socket and then does not close it on exec.  Which ends up leaking it to ping and ifconfig.  You can safely ignore this avc, since SELinux is closing the leak.

You can allow the leak, by executing 

# grep intirc_t /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

This will allow the leak, but stop the AVC.  As long as you feel you can trust your ping and ifconfig command allowing the leak is not a problem.  :^)

You should report the bug to munin, and tell them they should execute 

fcntl(socket_fd, F_SETFD, F_CLOEXEC) 

On all open sockets and file descriptors before fork/exec

Comment 2 Martin Jürgens 2009-05-15 16:29:38 UTC
okay many thanks :)


Note You need to log in before you can comment on or make changes to this bug.