Bug 799266 - Munin plugins unable to save state
Munin plugins unable to save state
Status: CLOSED DUPLICATE of bug 786597
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.2
x86_64 Linux
low Severity low
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On: 652936
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-02 05:24 EST by Sander Hoentjen
Modified: 2012-03-02 10:00 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 652936
Environment:
Last Closed: 2012-03-02 10:00:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sander Hoentjen 2012-03-02 05:24:48 EST
+++ This bug was initially created as a clone of Bug #652936 +++

Description of problem:

Various munin plugins (diskstats, smart_) are unable to save state files in /var/lib/munin/plugin-state/.  This appears to be a SELinux issue.

Version-Release number of selected component (if applicable):

munin-node-1.4.6-4.el6.2.noarch
selinux-policy-3.7.19-126.el6_2.9.noarch

How reproducible: Always

Steps to Reproduce:
1. Fresh RHEL6.2 install w/ latest munin-node from EPEL and selinux
2. ln -s /usr/share/munin/plugins/diskstats /etc/munin/plugins
3. service start munin-node
4. echo "fetch diskstats" | nc localhost 4949
  
Actual results:

# munin node at localhost.localdomain
# Bad exit
.
 in /var/log/munin/munin.log:

2010/11/13-10:59:17 [10753] Error output from diskstats:
2010/11/13-10:59:17 [10753] 	diskstats: Could not open statefile '/var/lib/munin/plugin-state/diskstats-127.0.0.1' for writing: Permission denied
2010/11/13-10:59:17 [10753] Service 'diskstats' exited with status 13/0.

Expected results:


Additional info:

This appears to be an issue with SELinux denying search access to /var/lib.  There are no messages generated in the audit.log by default.  Disabling SELinux (setenforce 0) allows the plugins to work, also switching the plugins to save state in /tmp will allow them to work as well.  Enabling full AVC error logging (semodule -DB) finally showed the following:

type=AVC msg=audit(1289588177.500:30525): avc:  denied  { search } for  pid=19764 comm="diskstats" name="lib" dev=dm-0 ino=1835010 scontext=unconfined_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1289588177.500:30525): arch=c000003e syscall=2 success=no exit=-13 a0=1181930 a1=241 a2=1b6 a3=7fd5943ff3e0 items=0 ppid=19763 pid=19764 auid=500 uid=489 gid=484 euid=489 suid=489 fsuid=489 egid=484 sgid=484 fsgid=484 tty=(none) ses=1 comm="diskstats" exe="/usr/bin/perl" subj=unconfined_u:system_r:disk_munin_plugin_t:s0 key=(null)

--- Additional comment from kevin@scrye.com on 2010-11-13 16:58:43 EST ---

Moving over to selinux policy for comment from them.

--- Additional comment from mgrepl@redhat.com on 2010-11-15 06:04:11 EST ---

You can allow it for now using

# grep disk_munin_plugin_t /var/log/audit/audit.log | audit2allow -M mypol
# semodule i mypol.pp


Fixed in selinux-policy-3.9.7-13.fc14

--- Additional comment from mike.tillberg@yahoo.com on 2010-11-15 10:57:20 EST ---

Thanks for looking at this.  I can confirm that adding the var_lib rule fixes the issue.

--- Additional comment from updates@fedoraproject.org on 2010-11-19 08:21:36 EST ---

selinux-policy-3.9.7-12.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14

--- Additional comment from updates@fedoraproject.org on 2010-11-19 17:39:51 EST ---

selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14

--- Additional comment from mike.tillberg@yahoo.com on 2010-11-20 12:10:27 EST ---

Removed the temporary policy, confirmed that the error returned.  Installed the updated selinux policy and confirmed the new policy fixes the issue.

--- Additional comment from updates@fedoraproject.org on 2010-11-21 16:58:12 EST ---

selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 Miroslav Grepl 2012-03-02 10:00:21 EST

*** This bug has been marked as a duplicate of bug 786597 ***

Note You need to log in before you can comment on or make changes to this bug.