SELinux is preventing mysql_indexes from unix_read, unix_write access on the semaphore Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that mysql_indexes should be allowed unix_read unix_write access on the Unknown sem by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:services_munin_plugin_t:s0 Target Context unconfined_u:system_r:services_munin_plugin_t:s0 Target Objects Unknown [ sem ] Source mysql_indexes Source Path mysql_indexes Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.7-16.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64 Alert Count 28 First Seen Thu 16 Dec 2010 10:40:05 CET Last Seen Thu 16 Dec 2010 10:45:06 CET Local ID b91c66b9-7afb-4de8-a0ce-f98011fcb75c Raw Audit Messages type=AVC msg=audit(1292492706.386:45854): avc: denied { unix_read unix_write } for pid=9317 comm="mysql_tmp_table" key=1667461225 scontext=unconfined_u:system_r:services_munin_plugin_t:s0 tcontext=unconfined_u:system_r:services_munin_plugin_t:s0 tclass=sem mysql_indexes,services_munin_plugin_t,services_munin_plugin_t,sem,unix_read,unix_write #============= services_munin_plugin_t ============== allow services_munin_plugin_t self:sem { unix_read unix_write }; Sadly, the proposed solution: You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep mysql_indexes /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp does not fix the issue.
The solution was proposed from new setroubleshoot-applet. grep mysql_indexes /var/log/audit.... is empty. (the bug is: setroubleshoot applet suggests a solution, which does not fix the issue)
Matthias, could you execute # semanage permissive -a services_munin_plugin_t and see if you get other avc messsages.
Mattieas, can you see if your audit.log rolled. # grep mysql_indexes /var/log/audit/audit.log* | audit2allow -M mypol
(In reply to comment #2) > Matthias, > could you execute > > # semanage permissive -a services_munin_plugin_t > > and see if you get other avc messsages. After executing semanage.. SELinux is preventing /usr/bin/perl from 'read, write' accesses on the semaphore Unknown. Plugin: catchall you want to allow perl to have read write access on the Unknown semIf you believe that perl should be allowed read write access on the Unknown sem by default. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
I'll do now the grep Daniel suggested. audit.log get's those entries: mypol.te: module mypol 1.0; require { type unconfined_t; type services_munin_plugin_t; type user_tmpfs_t; type tmpfs_t; class sem { write associate read create unix_read unix_write }; class shm { unix_read associate read write getattr unix_write }; class file { read write }; } #============= services_munin_plugin_t ============== allow services_munin_plugin_t self:sem { read write }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t self:sem { unix_read create unix_write associate }; allow services_munin_plugin_t self:shm { write unix_read getattr unix_write associate read }; allow services_munin_plugin_t tmpfs_t:file { read write }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:sem { unix_read read write unix_write associate }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr unix_write associate read }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t user_tmpfs_t:file { read write }; Executing # grep /usr/bin/perl /var/log/audit/audit.log | audit2allow -M mypol compilation failed: mypol.te:6:ERROR 'syntax error' at token '' on line 6: /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from mypol.te results in this error :-/ [root@mrungexp ~]# rpm -q policycoreutils-python policycoreutils-python-2.0.83-33.5.fc14.x86_64
Matthias, do you know which mysql munin plugin causes these AVC? I am trying to build this policy using # make -f /usr/share/selinux/devel/Makefile and works fine. # cat mypol.te module mypol 1.0; require { type unconfined_t; type services_munin_plugin_t; type user_tmpfs_t; type tmpfs_t; class sem { write associate read create unix_read unix_write }; class shm { unix_read associate read write getattr unix_write }; class file { read write }; } #============= services_munin_plugin_t ============== allow services_munin_plugin_t self:sem { read write }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t self:sem { unix_read create unix_write associate }; allow services_munin_plugin_t self:shm { write unix_read getattr unix_write associate read }; allow services_munin_plugin_t tmpfs_t:file { read write }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:sem { unix_read read write unix_write associate }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t unconfined_t:shm { write unix_read getattr unix_write associate read }; #!!!! This avc is allowed in the current policy allow services_munin_plugin_t user_tmpfs_t:file { read write }; # make -f /usr/share/selinux/devel/Makefile # semodule -i mypol.pp