Bug 761495 - Some munin plugins lack proper SELinux policies
Summary: Some munin plugins lack proper SELinux policies
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: 6.3
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-08 12:57 UTC by Paavo Pokkinen
Modified: 2014-09-30 23:33 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-136.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:29:36 UTC
Target Upstream Version:

Attachments (Terms of Use)
Output to audit.log (3.44 KB, text/plain)
2011-12-08 13:07 UTC, Paavo Pokkinen 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description Paavo Pokkinen 2011-12-08 12:57:22 UTC 
Description of problem:

Some munin plugins try to communicate with nscd without proper selinux policies. This results flooding of /var/log/audit/audit.log

Version-Release number of selected component (if applicable):

Name       : munin-node
Arch       : noarch
Version    : 1.4.6
Release    : 4.el6.2
Size       : 1.1 M
Repo       : installed
From repo  : epel

How reproducible:


Steps to Reproduce:
1. Install munin-node
2. Use plugins postfix_mailqueue or http_loadtime, probably others
3. Observe /var/log/audit/audit.log
  
Actual results:


Expected results:


Additional info:

audit2allow outputs:

#============= munin_disk_plugin_t ==============
allow munin_disk_plugin_t nscd_t:nscd shmempwd;
allow munin_disk_plugin_t nscd_t:unix_stream_socket connectto;
allow munin_disk_plugin_t nscd_var_run_t:file read;
allow munin_disk_plugin_t nscd_var_run_t:sock_file write;

#============= munin_mail_plugin_t ==============
allow munin_mail_plugin_t nscd_t:nscd shmempwd;
allow munin_mail_plugin_t nscd_t:unix_stream_socket connectto;
allow munin_mail_plugin_t nscd_var_run_t:file read;
allow munin_mail_plugin_t nscd_var_run_t:sock_file write;

#============= munin_services_plugin_t ==============
allow munin_services_plugin_t nscd_t:nscd { shmempwd shmemhost shmemserv gethost };
allow munin_services_plugin_t nscd_t:unix_stream_socket connectto;
allow munin_services_plugin_t nscd_var_run_t:file read;
allow munin_services_plugin_t nscd_var_run_t:sock_file write;
Comment 1 Paavo Pokkinen 2011-12-08 13:07:14 UTC 
Created attachment 542530 [details]
Output to audit.log
Comment 2 Kevin Fenzi 2011-12-08 18:21:09 UTC 
Moving to selinux-policy for comment.
Comment 4 Miroslav Grepl 2011-12-09 13:00:00 UTC 
Paavo,
do you know which plugins causes AVC msgs for munin_disk_plugin_t domain?
Comment 5 Paavo Pokkinen 2011-12-09 19:37:28 UTC 
I think it is diskstats plugin. Could be also df or df_inode.

Also, perhaps unrelated to this, I think /var/lib/munin/plugin-state might have wrong permissions. Some plugins are running as nobody with group munin, and then can't create files there. I solved this with chmod 775.
Comment 6 Miroslav Grepl 2012-01-26 09:43:09 UTC 
Fixed in selinux-policy-3.7.19-136.el6
Comment 13 errata-xmlrpc 2012-06-20 12:29:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Note You need to log in before you can comment on or make changes to this bug.