Description of problem: i'm doing some pings via munin. but they are forbidden by selinux: May 15 15:20:02 Hypnos kernel: type=1400 audit(1242393602.670:4): avc: denied { read write } for pid=2995 comm="ethtool" path="socket:[15673]" dev=sockfs ino=15673 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=tcp_socket May 15 15:20:07 Hypnos kernel: type=1400 audit(1242393607.561:5): avc: denied { read write } for pid=3121 comm="ping" path="socket:[15673]" dev=sockfs ino=15673 scontext=root:system_r:ping_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=tcp_socket
This is a leaked file descriptor in munin. It opens it's tcp_socket and then does not close it on exec. Which ends up leaking it to ping and ifconfig. You can safely ignore this avc, since SELinux is closing the leak. You can allow the leak, by executing # grep intirc_t /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp This will allow the leak, but stop the AVC. As long as you feel you can trust your ping and ifconfig command allowing the leak is not a problem. :^) You should report the bug to munin, and tell them they should execute fcntl(socket_fd, F_SETFD, F_CLOEXEC) On all open sockets and file descriptors before fork/exec
okay many thanks :)