Created attachment 354505 [details] actual selinux alert, blocked access to hddtemp Description of problem: (follow up of bug 511087) external mrtg scripts are not allowed to call hddtemp due to selinux policy Version-Release number of selected component (if applicable): selinux-policy-3.6.12-62.fc11.noarch selinux-policy-targeted-3.6.12-62.fc11.noarch How reproducible: always Steps to Reproduce: 1. mrtg is run every 5 minutes, call external scripts to get needed input 2. script call hddtemp to get temp of drive /dev/sda 3. Actual results: hddtemp is not allowed to access /dev/sda (see attachment) Expected results: hddtemp is allow to access /dev/sda (when run from mrtg) Additional info:
Miroslav, I think we need a policy for hddtemp. Until that is written, Jurgan you will need a custom policy for this. ============================= cut ============================================ policy_module(mymrtg, 1.0) gen_require(` type mrtg_t; ') storage_raw_read_fixed_disk(mrtg_t) ============================================================================== Cut and paste the above into mymrtg.te Then execute # make -f /usr/share/selinux/devel/Makefile # semodule -i mymrtg.pp
Fixed in selinux-policy-3.6.12-76.fc11
Any ETA on selinux-policy-3.6.12-76.fc11 being released? The policy is currently on 12-72 and I have not seen any updates in update-testing so far. Thanks.
selinux-policy-3.6.12-78.fc11 is in the Fedora 11 testing repository with these changes, so you can execute su -c 'yum--enablerepo=updates-testing update selinux-policy-targeted'
OK, thanks. I've installed the updated policy. No more selinux denials appear (only when calling /usr/sbin/hddtemp from the mrtg script. When I use /usr/bin/hddtemp I get consolehelper denials). I am not getting any data, but that is probably another problem.
So if you execute /usr/sbin/hddtemp, you get data?
Yes I do get data when I execute /usr/sbin/hddtemp from the terminal or from my script. But I do not get data when mrtg executes the script. Very odd. Maybe the script outputs hidden characters which confuse mrtg's perl code.
Do you see any avc messages in /var/log/audit/audit.log? If you run in permissive mode does it work?
There are no new avc messages in the audit logs so the updated policy works correctly. I managed to fix the problems with my scripts, mrtg got confused by its output resulting in a null value being reported. This bug can be closed