Bug 729135 - SELinux is preventing /usr/bin/perl from 'create' accesses on the sock_file munin-master-processmanager-20902.sock.
Summary: SELinux is preventing /usr/bin/perl from 'create' accesses on the sock_file m...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: munin
Version: 15
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Kevin Fenzi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:ad84df54524...
: 729137 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-08 19:41 UTC by Till Maas
Modified: 2011-09-13 05:53 UTC (History)
8 users (show)

Fixed In Version: munin-1.4.6-4.fc15.1
Clone Of:
Environment:
Last Closed: 2011-09-13 05:53:29 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Till Maas 2011-08-08 19:41:20 UTC
SELinux is preventing /usr/bin/perl from 'create' accesses on the sock_file munin-master-processmanager-20902.sock.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed create access on the munin-master-processmanager-20902.sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep munin-update /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:munin_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_run_t:s0
Target Objects                munin-master-processmanager-20902.sock [ sock_file
                              ]
Source                        munin-update
Source Path                   /usr/bin/perl
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           perl-5.12.4-159.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40-4.fc15.x86_64 #1 SMP
                              Fri Jul 29 18:46:53 UTC 2011 x86_64 x86_64
Alert Count                   1095
First Seen                    Do 04 Aug 2011 08:15:02 CEST
Last Seen                     Mo 08 Aug 2011 21:40:02 CEST
Local ID                      a58c16a9-0cdc-41d4-92e7-900903ba11ea

Raw Audit Messages
type=AVC msg=audit(1312832402.186:2914): avc:  denied  { create } for  pid=20902 comm="munin-update" name="munin-master-processmanager-20902.sock" scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1312832402.186:2914): arch=x86_64 syscall=bind success=yes exit=0 a0=6 a1=30d8ca0 a2=6e a3=242a140 items=0 ppid=20901 pid=20902 auid=487 uid=487 gid=470 euid=487 suid=487 fsuid=487 egid=470 sgid=470 fsgid=470 tty=(none) ses=309 comm=munin-update exe=/usr/bin/perl subj=system_u:system_r:munin_t:s0-s0:c0.c1023 key=(null)

Hash: munin-update,munin_t,var_run_t,sock_file,create

audit2allow

#============= munin_t ==============
allow munin_t var_run_t:sock_file create;

audit2allow -R

#============= munin_t ==============
allow munin_t var_run_t:sock_file create;

Comment 1 Daniel Walsh 2011-08-09 17:54:17 UTC
*** Bug 729137 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Walsh 2011-08-09 17:54:52 UTC
Do you know which dirtory munin is trying to do this in?

Comment 3 Till Maas 2011-08-09 19:58:17 UTC
(In reply to comment #2)
> Do you know which dirtory munin is trying to do this in?

/var/run/munin/

Comment 4 Miroslav Grepl 2011-08-10 07:14:19 UTC
Execute

# restorecon -R -v /var/run/munin

will fix. Not sure how got this mislabeled.

What does

# rpm -qf /var/run/munin

Comment 5 Till Maas 2011-08-11 16:59:04 UTC
# rpm -qf /var/run/munin
munin-1.4.6-1.fc15.noarch

Btw. /var/run is a tmpfs filesystem in F15 and I reboot the system where the problem occured regulary.

Comment 6 Brownout 2011-08-23 11:03:06 UTC
It IS a bug, since the tmpfs gets recreated every reboot the label gets lost.

Comment 7 Daniel Walsh 2011-08-24 02:58:42 UTC
Is there a process within the init system that is creating the munin directory?

Comment 8 Till Maas 2011-08-24 20:13:05 UTC
(In reply to comment #7)
> Is there a process within the init system that is creating the munin directory?

/etc/rc.d/init.d/munin-node

[...]
mkdir -p /var/run/munin 2>/dev/null
chown munin /var/run/munin
[...]

Comment 9 Daniel Walsh 2011-08-26 21:46:45 UTC
It needs 

restorecon /var/run/munin

Comment 10 Fedora Update System 2011-08-27 23:54:10 UTC
munin-1.4.6-4.fc15.1 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/munin-1.4.6-4.fc15.1

Comment 11 Fedora Update System 2011-08-31 01:32:44 UTC
Package munin-1.4.6-4.fc15.1:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing munin-1.4.6-4.fc15.1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/munin-1.4.6-4.fc15.1
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2011-09-13 05:53:19 UTC
munin-1.4.6-4.fc15.1 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.