RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 799266 - Munin plugins unable to save state
Summary: Munin plugins unable to save state
Keywords:
Status: CLOSED DUPLICATE of bug 786597
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 652936
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-02 10:24 UTC by Sander Hoentjen
Modified: 2012-03-02 15:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 652936
Environment:
Last Closed: 2012-03-02 15:00:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Sander Hoentjen 2012-03-02 10:24:48 UTC 
+++ This bug was initially created as a clone of Bug #652936 +++

Description of problem:

Various munin plugins (diskstats, smart_) are unable to save state files in /var/lib/munin/plugin-state/.  This appears to be a SELinux issue.

Version-Release number of selected component (if applicable):

munin-node-1.4.6-4.el6.2.noarch
selinux-policy-3.7.19-126.el6_2.9.noarch

How reproducible: Always

Steps to Reproduce:
1. Fresh RHEL6.2 install w/ latest munin-node from EPEL and selinux
2. ln -s /usr/share/munin/plugins/diskstats /etc/munin/plugins
3. service start munin-node
4. echo "fetch diskstats" | nc localhost 4949
  
Actual results:

# munin node at localhost.localdomain
# Bad exit
.
 in /var/log/munin/munin.log:

2010/11/13-10:59:17 [10753] Error output from diskstats:
2010/11/13-10:59:17 [10753] 	diskstats: Could not open statefile '/var/lib/munin/plugin-state/diskstats-127.0.0.1' for writing: Permission denied
2010/11/13-10:59:17 [10753] Service 'diskstats' exited with status 13/0.

Expected results:


Additional info:

This appears to be an issue with SELinux denying search access to /var/lib.  There are no messages generated in the audit.log by default.  Disabling SELinux (setenforce 0) allows the plugins to work, also switching the plugins to save state in /tmp will allow them to work as well.  Enabling full AVC error logging (semodule -DB) finally showed the following:

type=AVC msg=audit(1289588177.500:30525): avc:  denied  { search } for  pid=19764 comm="diskstats" name="lib" dev=dm-0 ino=1835010 scontext=unconfined_u:system_r:disk_munin_plugin_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1289588177.500:30525): arch=c000003e syscall=2 success=no exit=-13 a0=1181930 a1=241 a2=1b6 a3=7fd5943ff3e0 items=0 ppid=19763 pid=19764 auid=500 uid=489 gid=484 euid=489 suid=489 fsuid=489 egid=484 sgid=484 fsgid=484 tty=(none) ses=1 comm="diskstats" exe="/usr/bin/perl" subj=unconfined_u:system_r:disk_munin_plugin_t:s0 key=(null)

--- Additional comment from kevin on 2010-11-13 16:58:43 EST ---

Moving over to selinux policy for comment from them.

--- Additional comment from mgrepl on 2010-11-15 06:04:11 EST ---

You can allow it for now using

# grep disk_munin_plugin_t /var/log/audit/audit.log | audit2allow -M mypol
# semodule i mypol.pp


Fixed in selinux-policy-3.9.7-13.fc14

--- Additional comment from mike.tillberg on 2010-11-15 10:57:20 EST ---

Thanks for looking at this.  I can confirm that adding the var_lib rule fixes the issue.

--- Additional comment from updates on 2010-11-19 08:21:36 EST ---

selinux-policy-3.9.7-12.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14

--- Additional comment from updates on 2010-11-19 17:39:51 EST ---

selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14

--- Additional comment from mike.tillberg on 2010-11-20 12:10:27 EST ---

Removed the temporary policy, confirmed that the error returned.  Installed the updated selinux policy and confirmed the new policy fixes the issue.

--- Additional comment from updates on 2010-11-21 16:58:12 EST ---

selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 2 Miroslav Grepl 2012-03-02 15:00:21 UTC 

*** This bug has been marked as a duplicate of bug 786597 ***
Note You need to log in before you can comment on or make changes to this bug.