Bug 511087 - selinux policy prevents external mrtg scripts from being executed
selinux policy prevents external mrtg scripts from being executed
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: mrtg (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Vitezslav Crhonek
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-13 11:34 EDT by Jurgen Kramer
Modified: 2009-07-21 15:54 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-21 15:54:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
actual selinux alert (2.46 KB, text/plain)
2009-07-13 11:34 EDT, Jurgen Kramer
no flags Details
new console helper selinux alert (2.56 KB, text/plain)
2009-07-14 12:08 EDT, Jurgen Kramer
no flags Details

  None (edit)
Description Jurgen Kramer 2009-07-13 11:34:02 EDT
Created attachment 351487 [details]
actual selinux alert

Description of problem:
external mrtg scripts are not allowed to run due to selinux policy

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-62.fc11.noarch
selinux-policy-targeted-3.6.12-62.fc11.noarch


How reproducible:
Always


Steps to Reproduce:
1. Enable external scripts in mrtg.conf
2. mrtg is being run with 5 minuted intervals (crontab)
3. selinux errors appear
  
Actual results:
SELinux errors messages stating:
SELinux is preventing mrtg (mrtg_t) "execute" mrtg_etc_t.
the scripts are not run.

Expected results:
Working scripts, no access denied errors

Additional info:
The files in /etc/mrtg are currently set to:

[kramer@nasng mrtg]$ ll -Z
-rwx------. root root system_u:object_r:mrtg_etc_t:s0  cpufan_speed.sh
-rwx------. root root system_u:object_r:mrtg_etc_t:s0  cpu_temp.sh
-rwx------. root root system_u:object_r:mrtg_etc_t:s0  fan_speed.sh
-rwx------. root root system_u:object_r:mrtg_etc_t:s0  hdd_temp.sh
-rwx------. root root system_u:object_r:mrtg_etc_t:s0  mb_temp.sh
-rw-r--r--. root root system_u:object_r:mrtg_etc_t:s0  mrtg.cfg
-rwx------. root root system_u:object_r:mrtg_etc_t:s0  nbfan_speed.sh
Comment 1 Daniel Walsh 2009-07-14 11:47:03 EDT
Did you create thise files?  If you chcon -t bin_t /etc/mrtg/*.sh

It should work.

Arese these files packages somewhere?
Comment 2 Daniel Walsh 2009-07-14 11:49:03 EDT
Reassigning to mrtg to get their comments on this.  Should these files be placed somewhere else?  Does the documentation suggest that these files be created here?  If yes could we change the it to /etc/mrtg/scripts and then add the scripts directory to the rpm?
Comment 3 Jurgen Kramer 2009-07-14 12:06:35 EDT
Yes, I created these files. The feed mrtg with info needed. I've changed the context of the .sh files. Now I no longer get the selinux alerts with the access denied messages. However I now seem to get a new error (see attachment 2 [details]), it pop up every 5 minutes (mrtg is run every five minutes).


What is a good way to stream line this for mrtg? Maybe create a mrtg bin directory which can hold all scripts and create a accompanying selinux policy?
Of course this only when bin_t is the proper context.

The files now look like:
[kramer@nasng mrtg]$ ll -Z
-rwx--x--x. root root system_u:object_r:bin_t:s0       cpufan_speed.sh
-rwx--x--x. root root system_u:object_r:bin_t:s0       cpu_temp.sh
-rwx--x--x. root root system_u:object_r:bin_t:s0       fan_speed.sh
-rwx--x--x. root root system_u:object_r:bin_t:s0       hdd_temp.sh
-rwx--x--x. root root system_u:object_r:bin_t:s0       mb_temp.sh
-rw-r--r--. root root system_u:object_r:mrtg_etc_t:s0  mrtg.cfg
-rw-r--r--. root root system_u:object_r:mrtg_etc_t:s0  mrtg.cfg~
-rwx--x--x. root root system_u:object_r:bin_t:s0       nbfan_speed.sh
Comment 4 Jurgen Kramer 2009-07-14 12:08:03 EDT
Created attachment 351621 [details]
new console helper selinux alert

new console helper selinux alert, after changing *.sh context to bin_t. Occurs every 5 mins.
Comment 5 Vitezslav Crhonek 2009-07-20 10:45:13 EDT
I suggest to place your own mrtg scripts to /usr/local/bin/.
Comment 6 Vitezslav Crhonek 2009-07-20 10:48:39 EDT
(In reply to comment #2)
> Reassigning to mrtg to get their comments on this.  Should these files be
> placed somewhere else?  Does the documentation suggest that these files be
> created here?  If yes could we change the it to /etc/mrtg/scripts and then add
> the scripts directory to the rpm?  

These files were created by user, mrtg package doesn't contain scripts (except of examples in /usr/share/doc/mrtg-%{version}). /etc/mrtg is for configuration files only.
Comment 7 Daniel Walsh 2009-07-20 16:23:58 EDT
Jurgan looks like you are executing some binary that is linked to a userhelper application?

/usr/bin/consolehelper-gtk  What are you trying to do with this?
Comment 8 Jurgen Kramer 2009-07-21 11:07:00 EDT
The selinux alert regaring console helper stopped appearing after I logged of and logged in again. But now I have a new message telling me hddtemp is not allow to read /dev/sda. I will first move my mrtg scripts to /usr/local/bin and will file a separate bug is the problem persists.
Comment 9 Jurgen Kramer 2009-07-21 11:49:34 EDT
OK, I've moved the scripts to /usr/local/bin. Only the hddtemp selinux alert remains. This is / was also the source of the consolehelper messages as /usr/bin/hddtemp is linked to consolehelper. (the real program resides in /usr/sbin, but when I directly call hddtemp in /usr/sbin I get consolehelper-gtk messages). Will file in a separate bug -> bug #512997.

I think this bug can now be closed.

Note You need to log in before you can comment on or make changes to this bug.