748190 – Missing SELinux rules block use of munins plugin selinux_avcstat

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 748190 - Missing SELinux rules block use of munins plugin selinux_avcstat

Summary: Missing SELinux rules block use of munins plugin selinux_avcstat

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	6.3
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	748737
TreeView+	depends on / blocked

Reported:	2011-10-22 21:47 UTC by Gabriele Pohl
Modified:	2014-09-30 23:33 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-1365.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	748737 (view as bug list)
Environment:
Last Closed:	2012-06-20 12:28:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0780	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-06-19 20:34:59 UTC

Description Gabriele Pohl 2011-10-22 21:47:23 UTC

Description of problem:

Get "Unknown" values from plugin selinux_avcstat when fetching the values from munin-node via telnet.

Version-Release number of selected component (if applicable):

Name        : munin-node                   Relocations: (not relocatable)
Version     : 1.4.6                             Vendor: Fedora Project
Release     : 4.el6.2                       Build Date: Mon 12 Sep 2011 10:28:21 PM CEST

How reproducible:

Steps to Reproduce:

1. Install munin-node. 
   Autoconfiguration finds and can read the file /selinux/avc/cache_stats
   and therefore activates the plugin on the node.

2. See, that you get only "Unknown" values

----- 8< -----
# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value U
hits.value U
misses.value U
allocations.value U
reclaims.value U
frees.value U
.
----- >8 -----


Actual results:

No values in graph.

Expected results:

I got reasonable values from a plugin, 
when I run it via "munin-run" on the node:

----- 8< -----
# munin-run selinux_avcstat 
lookups.value 25863367
hits.value 25837715
misses.value 25652
allocations.value 25657
reclaims.value 24624
frees.value 25156
----- >8 -----

After installing the following rule 
(see recipe of author arth in older Bugreport 
https://bugzilla.redhat.com/show_bug.cgi?id=581270)

--- cut here ---
module muninlocal 0.0.1;

require {
        type munin_t;
        type security_t;
        class file { getattr read open };
}

allow munin_t security_t:file { getattr read open };
--- cut here ---

Save as muninlocal.te

Compile and install with:

checkmodule -M -m -o muninlocal.mod muninlocal.te
semodule_package -o muninlocal.pp -m muninlocal.mod
semodule -i muninlocal.pp

the problem is solved

# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value 33223592
hits.value 33194702
misses.value 28890
allocations.value 28900
reclaims.value 27856
frees.value 28392
.

Please add the additional rules to munin.pp

Comment 1 Kevin Fenzi 2011-10-25 01:33:44 UTC

This would need to be changed in the RHEL6 selinux policy. 

Moving it over there for comment.

Comment 3 Miroslav Grepl 2011-10-25 08:27:52 UTC

First I wouldn't use telnet for this. Also this is definitely something what we don't want to allow for munin.

If we want to allow it, it means we should add probably a new munin plugin domain.

You can test this policy

# cat mymunin.te

munin_plugin_template(admin)
permissive admin_munin_plugin_t;
selinux_get_enforce_mode(admin_munin_plugin_t)



and run

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mymunin.pp
# chcon -t admin_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat

Comment 4 Daniel Walsh 2011-10-25 12:54:04 UTC

I might call this selinux rather then admin.

munin_plugin_template(selinux)
permissive selinux_munin_plugin_t;
selinux_get_enforce_mode(admin_selinux_plugin_t)


# make -f /usr/share/selinux/devel/Makefile
# semodule -i mymunin.pp
# chcon -t selinux_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat


And if selinux_avcstat is part of the standard munin, I have no problem adding it.

Comment 5 Miroslav Grepl 2011-10-25 12:58:11 UTC

(In reply to comment #4)
> I might call this selinux rather then admin.
> 
> munin_plugin_template(selinux)
> permissive selinux_munin_plugin_t;
> selinux_get_enforce_mode(admin_selinux_plugin_t)
> 
> 
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i mymunin.pp
> # chcon -t selinux_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat
> 
> 
> And if selinux_avcstat is part of the standard munin, I have no problem adding
> it.

Yes, it is.

Comment 6 Gabriele Pohl 2011-10-26 07:30:26 UTC

(In reply to comment #3)
> First I wouldn't use telnet for this. 

What will you use instead to debug the missing values in munin graphs?
Using telnet is the recommended method described in Munins documentation wiki. 
Please add a recipe of your better way also there:
http://munin-monitoring.org/wiki/Debugging_Munin_plugins

Comment 7 Miroslav Grepl 2011-10-26 08:04:50 UTC

Oops, I missed this is on your localhost. 

I thought the munin logs own events.

Comment 10 Miroslav Grepl 2012-01-26 09:00:38 UTC

fixed in selinux-policy-3.7.19-136.el6

Comment 14 errata-xmlrpc 2012-06-20 12:28:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html

Note You need to log in before you can comment on or make changes to this bug.