Bug 512997 - selinux policy prevents external mrtg scripts using hddtemp from being executed
Summary: selinux policy prevents external mrtg scripts using hddtemp from being executed
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-21 15:48 UTC by Jurgen Kramer
Modified: 2009-08-23 08:20 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-23 08:20:43 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
actual selinux alert, blocked access to hddtemp (2.47 KB, text/plain)
2009-07-21 15:48 UTC, Jurgen Kramer 		no flags Details
View All

Description Jurgen Kramer 2009-07-21 15:48:22 UTC 
Created attachment 354505 [details]
actual selinux alert, blocked access to hddtemp

Description of problem:
(follow up of bug 511087)
external mrtg scripts are not allowed to call hddtemp due to selinux policy


Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-62.fc11.noarch
selinux-policy-targeted-3.6.12-62.fc11.noarch


How reproducible:
always

Steps to Reproduce:
1. mrtg is run every 5 minutes, call external scripts to get needed input
2. script call hddtemp to get temp of drive /dev/sda
3.
  
Actual results:
hddtemp is not allowed to access /dev/sda (see attachment)

Expected results:
hddtemp is allow to access /dev/sda (when run from mrtg)

Additional info:
Comment 1 Daniel Walsh 2009-07-21 20:08:02 UTC 
Miroslav, I think we need a policy for hddtemp.

Until that is written, Jurgan you will need a custom policy for this.

============================= cut ============================================
policy_module(mymrtg, 1.0)
gen_require(`
           type mrtg_t;
')

storage_raw_read_fixed_disk(mrtg_t)
==============================================================================
 Cut and paste the above into

mymrtg.te
Then execute

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mymrtg.pp
Comment 2 Miroslav Grepl 2009-08-13 15:58:18 UTC 
Fixed in selinux-policy-3.6.12-76.fc11
Comment 3 Jurgen Kramer 2009-08-21 09:20:40 UTC 
Any ETA on selinux-policy-3.6.12-76.fc11 being released? The policy is currently  on 12-72 and I have not seen any updates in update-testing so far.
Thanks.
Comment 4 Miroslav Grepl 2009-08-21 10:16:50 UTC 
selinux-policy-3.6.12-78.fc11 is in the Fedora 11 testing
repository with these changes, so you can execute

su -c 'yum--enablerepo=updates-testing update selinux-policy-targeted'
Comment 5 Jurgen Kramer 2009-08-21 11:28:34 UTC 
OK, thanks. I've installed the updated policy. No more selinux denials appear (only when calling /usr/sbin/hddtemp from the mrtg script. When I use /usr/bin/hddtemp I get consolehelper denials).
I am not getting any data, but that is probably another problem.
Comment 6 Daniel Walsh 2009-08-21 19:36:09 UTC 
So if you execute /usr/sbin/hddtemp, you get data?
Comment 7 Jurgen Kramer 2009-08-21 21:23:25 UTC 
Yes I do get data when I execute /usr/sbin/hddtemp from the terminal or from my script. But I do not get data when mrtg executes the script. Very odd. Maybe the script outputs hidden characters which confuse mrtg's perl code.
Comment 8 Daniel Walsh 2009-08-21 22:37:31 UTC 
Do you see any avc messages in /var/log/audit/audit.log?

If you run in permissive mode does it work?
Comment 9 Jurgen Kramer 2009-08-23 08:20:43 UTC 
There are no new avc messages in the audit logs so the updated policy works correctly. I managed to fix the problems with my scripts, mrtg got confused by its output resulting in a null value being reported.

This bug can be closed
Note You need to log in before you can comment on or make changes to this bug.