Bug 500987 - pings by munin are forbidden by selinux
pings by munin are forbidden by selinux
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2009-05-15 07:35 EDT by Martin Jürgens
Modified: 2009-05-15 12:39 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-15 11:55:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Martin Jürgens 2009-05-15 07:35:20 EDT
Description of problem:
i'm doing some pings via munin. but they are forbidden by selinux:

May 15 15:20:02 Hypnos kernel: type=1400 audit(1242393602.670:4): avc:  denied  { read write } for  pid=2995 comm="ethtool" path="socket:[15673]" dev=sockfs ino=15673 scontext=root:system_r:ifconfig_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=tcp_socket
May 15 15:20:07 Hypnos kernel: type=1400 audit(1242393607.561:5): avc:  denied  { read write } for  pid=3121 comm="ping" path="socket:[15673]" dev=sockfs ino=15673 scontext=root:system_r:ping_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=tcp_socket
Comment 1 Daniel Walsh 2009-05-15 11:55:40 EDT
This is a leaked file descriptor in munin.  It opens it's tcp_socket and then does not close it on exec.  Which ends up leaking it to ping and ifconfig.  You can safely ignore this avc, since SELinux is closing the leak.

You can allow the leak, by executing 

# grep intirc_t /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

This will allow the leak, but stop the AVC.  As long as you feel you can trust your ping and ifconfig command allowing the leak is not a problem.  :^)

You should report the bug to munin, and tell them they should execute 

fcntl(socket_fd, F_SETFD, F_CLOEXEC) 

On all open sockets and file descriptors before fork/exec
Comment 2 Martin Jürgens 2009-05-15 12:29:38 EDT
okay many thanks :)

Note You need to log in before you can comment on or make changes to this bug.