861911 – unbound-munin doesn't work with SELinux enabled

Bug 861911 - unbound-munin doesn't work with SELinux enabled

Summary: unbound-munin doesn't work with SELinux enabled

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-01 10:21 UTC by Sander Hoentjen
Modified:	2013-10-24 17:22 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-24 17:22:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
unbound-munin.te (320 bytes, text/plain) 2012-10-02 09:50 UTC, Sander Hoentjen	no flags	Details
unbound-munin.fc (97 bytes, text/plain) 2012-10-02 09:58 UTC, Sander Hoentjen	no flags	Details
View All

Description Sander Hoentjen 2012-10-01 10:21:17 UTC

Description of problem:
With SELinux in enforcing mode, the unbound-munin plugins don't work out of the box.

Version-Release number of selected component (if applicable):
1.4.16-2.el6

How reproducible:
Always

Steps to Reproduce:
1. Have selinux in enforcing mode
2. install unbound-munin and start munin-node
3. try to get the unbound stats
  
Actual results:
No stats

Expected results:
stats are collected

Additional info:
To fix it, one can manually change the type of /usr/share/munin/plugins/unbound to munin_system_plugin_exec_t, and allow munin_system_plugin_exec_t to read the unbound config file:

allow munin_system_plugin_t named_conf_t:file { read ioctl open getattr };

It would be nice if either unbound-munin supplied this, or it would be included in the default policy.

Comment 1 Sander Hoentjen 2012-10-02 09:50:49 UTC

Created attachment 620201 [details]
unbound-munin.te

Comment 2 Sander Hoentjen 2012-10-02 09:58:24 UTC

Created attachment 620206 [details]
unbound-munin.fc

Comment 3 Paul Wouters 2012-10-31 17:00:58 UTC

Dan, can you update selinux-policy for this?

Comment 4 Daniel Walsh 2012-11-05 20:08:16 UTC

Miroslav shouldn't the default label on /usr/share/munin/plugins be munin_plugin_exec_t?

Comment 5 Miroslav Grepl 2012-11-06 08:41:23 UTC

Thanks for the patch. I added it to RHEL6/F18/F17.

Basically there should not be munin_exec_t labeling. If yes then this is a bug. We could consider to add this new type/domain for plugins which don't have correct labeling.

Note You need to log in before you can comment on or make changes to this bug.