Description of problem: munin_stats plugin no longer works after upgrade to 6.3 Version-Release number of selected component (if applicable): munin-node-1.4.7-5.el6.noarch selinux-policy-targeted-3.7.19-155.el6_3.noarch Additional info: On a running system the problem could be fixed as follows: 1. Change the context of the plugin executable: # semanage fcontext -a \ > -t munin_system_plugin_exec_t '/usr/share/munin/plugins/munin_.*' Note: Actually this should replace a meaningless rule for '/usr/share/munin/plugins/munin_*' in the current targeted policy. # restorecon -Rv /usr/share/munin 2. Add the following rules to a local policy: type munin_system_plugin_t; type munin_log_t; type var_log_t; allow munin_system_plugin_t var_log_t:dir search; allow munin_system_plugin_t munin_log_t:dir search; allow munin_system_plugin_t munin_log_t:file { read open };
This looks like it may be a policy issue in el6, moving to there for comment.
Yes, we need to backport it from Fedora.
Fixed in selinux-policy-3.7.19-159.el6
Here is another AVC. I just let munin daemon run and I discovered this during some non-related tests: selinux-policy-3.7.19-162.el6.noarch munin-1.4.7-5.el6.noarch munin-node-1.4.7-5.el6.noarch munin-common-1.4.7-5.el6.noarch ---- time->Mon Sep 24 15:55:03 2012 type=PATH msg=audit(1348494903.742:2273): item=0 name="/var/lib/munin/plugin-state/munin_stats-127.0.0.1" inode=278001 dev=fd:00 mode=0100664 ouid=99 ogid=491 rdev=00:00 obj=unconfined_u:object_r:munin_plugin_state_t:s0 type=CWD msg=audit(1348494903.742:2273): cwd="/" type=SYSCALL msg=audit(1348494903.742:2273): arch=c000003e syscall=2 success=yes exit=3 a0=e56a50 a1=241 a2=1b6 a3=7f1d58f21be0 items=1 ppid=31621 pid=31795 auid=0 uid=99 gid=491 euid=99 suid=99 fsuid=99 egid=491 sgid=491 fsgid=491 tty=(none) ses=8 comm="munin_stats" exe="/usr/bin/perl" subj=unconfined_u:system_r:munin_t:s0 key=(null) type=AVC msg=audit(1348494903.742:2273): avc: denied { write } for pid=31795 comm="munin_stats" name="munin_stats-127.0.0.1" dev=dm-0 ino=278001 scontext=unconfined_u:system_r:munin_t:s0 tcontext=unconfined_u:object_r:munin_plugin_state_t:s0 tclass=file
Fixed in selinux-policy-3.7.19-182.el6 # sesearch -A -s munin_t -t munin_t -c capability -p kill Found 1 semantic av rules: allow munin_t munin_t : capability { chown dac_override kill setgid setuid sys_rawio } ;
And what about the rule from Comment 7? allow munin_system_plugin_t munin_log_t:dir search;
Should be also fixed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html