Hide Forgot
Description of problem: Some munin plugins try to communicate with nscd without proper selinux policies. This results flooding of /var/log/audit/audit.log Version-Release number of selected component (if applicable): Name : munin-node Arch : noarch Version : 1.4.6 Release : 4.el6.2 Size : 1.1 M Repo : installed From repo : epel How reproducible: Steps to Reproduce: 1. Install munin-node 2. Use plugins postfix_mailqueue or http_loadtime, probably others 3. Observe /var/log/audit/audit.log Actual results: Expected results: Additional info: audit2allow outputs: #============= munin_disk_plugin_t ============== allow munin_disk_plugin_t nscd_t:nscd shmempwd; allow munin_disk_plugin_t nscd_t:unix_stream_socket connectto; allow munin_disk_plugin_t nscd_var_run_t:file read; allow munin_disk_plugin_t nscd_var_run_t:sock_file write; #============= munin_mail_plugin_t ============== allow munin_mail_plugin_t nscd_t:nscd shmempwd; allow munin_mail_plugin_t nscd_t:unix_stream_socket connectto; allow munin_mail_plugin_t nscd_var_run_t:file read; allow munin_mail_plugin_t nscd_var_run_t:sock_file write; #============= munin_services_plugin_t ============== allow munin_services_plugin_t nscd_t:nscd { shmempwd shmemhost shmemserv gethost }; allow munin_services_plugin_t nscd_t:unix_stream_socket connectto; allow munin_services_plugin_t nscd_var_run_t:file read; allow munin_services_plugin_t nscd_var_run_t:sock_file write;
Created attachment 542530 [details] Output to audit.log
Moving to selinux-policy for comment.
Paavo, do you know which plugins causes AVC msgs for munin_disk_plugin_t domain?
I think it is diskstats plugin. Could be also df or df_inode. Also, perhaps unrelated to this, I think /var/lib/munin/plugin-state might have wrong permissions. Some plugins are running as nobody with group munin, and then can't create files there. I solved this with chmod 775.
Fixed in selinux-policy-3.7.19-136.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html