Hit this with Czech locale set. munin-node-configure says: And 'df' plugin doesn't work. # The following plugins caused errors: # df: # Junk printed to stderr # df_inode: # Junk printed to stderr munin-node-1.4.4-1.fc12.noarch
Hmm, testing with munin-run the problem seems to be gvfs junk in failed mounts: [root@veselak ~]# munin-run df_inode _dev_sda2.value 6 _dev_shm.value 1 _dev_sda1.value 1 _tmp.value 1 _dev_sda4.value 1 df: `/home/Veselo/.gvfs': Permission denied Error executing df. Exit code 256 [root@veselak ~]# munin-run df _dev_sda2.value 44.825755214646 _dev_shm.value 0.00976737371599733 _dev_sda1.value 37.2316641275745 _tmp.value 0.00325579123866578 _dev_sda4.value 6.86326258719286 df: `/home/Veselo/.gvfs': Permission denied
This appears to be this bug: http://munin-monitoring.org/ticket/613 upstream, which was closed as invalid for some reason. ;( Would you be interested in reopening it and providing info to upstream? Or would you like me to do so?
Hey Kevin, reading the upstream bug it doesn't seem to be the same issue. I do confess though that I don't understand what the reporter is actually asking to be done. To be clearer on my report, my issue is: - plugin is not autoconfigured via munin-node-configure - doesn't graph/collect data I expect you have a relationship built with the upstream and likely have a Trac account :), so from my PoV it's better if you reopen the bug. Thanks!
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
I'm not using F12 anymore, so honestly I don't care, close it :) Leaving open as there may be CCed people who might have a different opinion.
Sorry this fell off the radar. Can anyone duplicate it on f13+? I'll try and dig more when time permits.
I can duplicate this on Fedora 14. Using "semodule -DB" allows the selinux denials to be seen in the audit log that match up to the df errors: 2010/11/17-21:41:29 [9212] df: `/proc/sys/fs/binfmt_misc': Permission denied 2010/11/17-21:41:29 [9212] df: `/var/lib/nfs/rpc_pipefs': Permission denied 2010/11/17-21:41:29 [9212] df: `/home/mt/.gvfs': Permission denied type=AVC msg=audit(1290047991.765:31319): avc: denied { search } for pid=8376 comm="df" scontext=unconfined_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir type=AVC msg=audit(1290047991.767:31320): avc: denied { search } for pid=8376 comm="df" name="nfs" dev=dm-0 ino=1836380 scontext=unconfined_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:var_lib_nfs_t:s0 tclass=dir type=AVC msg=audit(1290047991.769:31321): avc: denied { search } for pid=8376 comm="df" name="home" dev=dm-0 ino=2097153 scontext=unconfined_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir My solution for this is to have these types of filesystems ignored. The easiest way to do this is to add the following to /etc/munin/plugin-conf.d/munin-node: [df] env.exclude binfmt_misc rpc_pipefs fuse.gvfs-fuse-daemon
Switching against F14 based on comment #7
Moving this over to selinux policy folks to look at/comment on.
files_dontaudit_search_all_mountpoints(disk_munin_plugin_t) or files_dontaudit_search_all_dirs(disk_munin_plugin_t)
I don't think this is a selinux issue. Even if selinux is disabled, the permission check will fail, since it's the munin user accessing another user's home directory. Additionally, if the operation succeeded, df would find that the block count is 0 for the mount, and would filter it by default (running df as root doesn't show user gvfs mounts). I would suggest patching the df plugin to add "binfmt_misc rpc_pipefs fuse.gvfs-fuse-daemon" to the default list of excluded filesystem types. There are likely other gvfs types that need to be added as well, I don't know what that full list would be.
Mike: good point. I'll look at a patch for this soon.
Yes, if it doesn't work in the permissive mode, then it is not SELinux issue. I am adding files_dontaudit_search_all_dirs(disk_munin_plugin_t) to dontaudit. Fixed in selinux-policy-3.9.7-13.fc14
munin-1.4.5-5.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/munin-1.4.5-5.fc14
Mike (and anyone else): can you take a look at the above update? Thanks.
munin-1.4.5-5.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update munin'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/munin-1.4.5-5.fc14
My suggestion fixed the immediate issue, but was incomplete. First, the env.exclude line overwrites the default list, I thought it just appended to it. So it would be better to preserve the existing set of excluded types. The other is that the df_inode plugin still reports errors (in munin-node-configure, and presumably in use). So a better fix would be: [df*] env.exclude none unknown iso9660 squashfs udf romfs ramfs debugfs binfmt_misc rpc_pipefs fuse.gvfs-fuse-daemon That would match df, df_inode, and df_abs and add the new filetypes while preserving the old.
Indeed. :( You are correct here. Can you take a look at this scratch build: http://koji.fedoraproject.org/koji/taskinfo?taskID=2644683 and confirm it looks ok with respect to this df issue?
It's working here. All three plugins are valid when checked by munin-node-configure, and no warnings are generated in munin-node.log when the plugins are run normally.
munin-1.4.5-6.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/munin-1.4.5-6.fc14
Thanks for your testing Mike. I really appreciate it. New update pushing out with the above changes.
munin-1.4.5-6.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.