748190 – Missing SELinux rules block use of munins plugin selinux_avcstat

Bug 748190 - Missing SELinux rules block use of munins plugin selinux_avcstat

Summary: Missing SELinux rules block use of munins plugin selinux_avcstat

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	6.3
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	748737
TreeView+	depends on / blocked

Reported:	2011-10-22 21:47 UTC by Gabriele Pohl
Modified:	2014-09-30 23:33 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.7.19-1365.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	748737 (view as bug list)
Environment:
Last Closed:	2012-06-20 12:28:09 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0780	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-06-19 20:34:59 UTC

Description Gabriele Pohl 2011-10-22 21:47:23 UTC

Description of problem:

Get "Unknown" values from plugin selinux_avcstat when fetching the values from munin-node via telnet.

Version-Release number of selected component (if applicable):

Name        : munin-node                   Relocations: (not relocatable)
Version     : 1.4.6                             Vendor: Fedora Project
Release     : 4.el6.2                       Build Date: Mon 12 Sep 2011 10:28:21 PM CEST

How reproducible:

Steps to Reproduce:

1. Install munin-node. 
   Autoconfiguration finds and can read the file /selinux/avc/cache_stats
   and therefore activates the plugin on the node.

2. See, that you get only "Unknown" values

----- 8< -----
# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value U
hits.value U
misses.value U
allocations.value U
reclaims.value U
frees.value U
.
----- >8 -----


Actual results:

No values in graph.

Expected results:

I got reasonable values from a plugin, 
when I run it via "munin-run" on the node:

----- 8< -----
# munin-run selinux_avcstat 
lookups.value 25863367
hits.value 25837715
misses.value 25652
allocations.value 25657
reclaims.value 24624
frees.value 25156
----- >8 -----

After installing the following rule 
(see recipe of author arth in older Bugreport 
https://bugzilla.redhat.com/show_bug.cgi?id=581270)

--- cut here ---
module muninlocal 0.0.1;

require {
        type munin_t;
        type security_t;
        class file { getattr read open };
}

allow munin_t security_t:file { getattr read open };
--- cut here ---

Save as muninlocal.te

Compile and install with:

checkmodule -M -m -o muninlocal.mod muninlocal.te
semodule_package -o muninlocal.pp -m muninlocal.mod
semodule -i muninlocal.pp

the problem is solved

# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value 33223592
hits.value 33194702
misses.value 28890
allocations.value 28900
reclaims.value 27856
frees.value 28392
.

Please add the additional rules to munin.pp

Comment 1 Kevin Fenzi 2011-10-25 01:33:44 UTC

This would need to be changed in the RHEL6 selinux policy. 

Moving it over there for comment.

Comment 3 Miroslav Grepl 2011-10-25 08:27:52 UTC

First I wouldn't use telnet for this. Also this is definitely something what we don't want to allow for munin.

If we want to allow it, it means we should add probably a new munin plugin domain.

You can test this policy

# cat mymunin.te

munin_plugin_template(admin)
permissive admin_munin_plugin_t;
selinux_get_enforce_mode(admin_munin_plugin_t)



and run

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mymunin.pp
# chcon -t admin_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat

Comment 4 Daniel Walsh 2011-10-25 12:54:04 UTC

I might call this selinux rather then admin.

munin_plugin_template(selinux)
permissive selinux_munin_plugin_t;
selinux_get_enforce_mode(admin_selinux_plugin_t)


# make -f /usr/share/selinux/devel/Makefile
# semodule -i mymunin.pp
# chcon -t selinux_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat


And if selinux_avcstat is part of the standard munin, I have no problem adding it.

Comment 5 Miroslav Grepl 2011-10-25 12:58:11 UTC

(In reply to comment #4)
> I might call this selinux rather then admin.
> 
> munin_plugin_template(selinux)
> permissive selinux_munin_plugin_t;
> selinux_get_enforce_mode(admin_selinux_plugin_t)
> 
> 
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i mymunin.pp
> # chcon -t selinux_munin_plugin_exec_t /usr/share/munin/plugins/selinux_avcstat
> 
> 
> And if selinux_avcstat is part of the standard munin, I have no problem adding
> it.

Yes, it is.

Comment 6 Gabriele Pohl 2011-10-26 07:30:26 UTC

(In reply to comment #3)
> First I wouldn't use telnet for this. 

What will you use instead to debug the missing values in munin graphs?
Using telnet is the recommended method described in Munins documentation wiki. 
Please add a recipe of your better way also there:
http://munin-monitoring.org/wiki/Debugging_Munin_plugins

Comment 7 Miroslav Grepl 2011-10-26 08:04:50 UTC

Oops, I missed this is on your localhost. 

I thought the munin logs own events.

Comment 10 Miroslav Grepl 2012-01-26 09:00:38 UTC

fixed in selinux-policy-3.7.19-136.el6

Comment 14 errata-xmlrpc 2012-06-20 12:28:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html

Note You need to log in before you can comment on or make changes to this bug.