Bug 886704 - SELinux is preventing /usr/sbin/postconf from 'create' accesses on the tcp_socket .
Summary: SELinux is preventing /usr/sbin/postconf from 'create' accesses on the tcp_so...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7254400ae9b9b284281ffa8123c...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-12 22:51 UTC by Till Maas
Modified: 2013-01-07 03:57 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-01-07 03:57:27 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-12-12 22:51 UTC, Till Maas 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-12-12 22:51 UTC, Till Maas 		no flags Details
View All

Description Till Maas 2012-12-12 22:51:38 UTC 
Description of problem:
After I installed munin and got it to run, the error happens.

Additional info:
libreport version: 2.0.18
kernel:         3.6.9-2.fc17.x86_64

description:
:SELinux is preventing /usr/sbin/postconf from 'create' accesses on the tcp_socket .
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If sie denken, dass postconf standardmässig erlaubt sein sollte, create Zugriff auf  tcp_socket zu erhalten.
:Then sie sollten dies als Fehler melden.
:Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
:Do
:zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
:# grep postconf /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:mail_munin_plugin_t:s0
:Target Context                system_u:system_r:mail_munin_plugin_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        postconf
:Source Path                   /usr/sbin/postconf
:Port                          <Unbekannt>
:Host                          (removed)
:Source RPM Packages           postfix-2.9.4-3.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.9-2.fc17.x86_64 #1 SMP Tue Dec
:                              4 13:26:04 UTC 2012 x86_64 x86_64
:Alert Count                   173
:First Seen                    2012-12-12 16:42:07 CET
:Last Seen                     2012-12-12 23:45:11 CET
:Local ID                      93c735d0-8c75-4ec1-b24b-287bda7765f3
:
:Raw Audit Messages
:type=AVC msg=audit(1355352311.313:3709): avc:  denied  { create } for  pid=20538 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1355352311.313:3709): arch=x86_64 syscall=socket success=no exit=EACCES a0=2 a1=1 a2=0 a3=15 items=0 ppid=20537 pid=20538 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm=postconf exe=/usr/sbin/postconf subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
:
:Hash: postconf,mail_munin_plugin_t,mail_munin_plugin_t,tcp_socket,create
:
:audit2allow
:
:#============= mail_munin_plugin_t ==============
:allow mail_munin_plugin_t self:tcp_socket create;
:
:audit2allow -R
:
:#============= mail_munin_plugin_t ==============
:allow mail_munin_plugin_t self:tcp_socket create;
:
Comment 1 Till Maas 2012-12-12 22:51:41 UTC 
Created attachment 662671 [details]
File: type
Comment 2 Till Maas 2012-12-12 22:51:43 UTC 
Created attachment 662672 [details]
File: hashmarkername
Comment 3 Till Maas 2012-12-20 20:00:29 UTC 
It happens with munin monitoring.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 4 Till Maas 2012-12-28 15:44:54 UTC 
It happens if munin-node is used.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 5 Miroslav Grepl 2013-01-02 11:16:27 UTC 
Till,
could you execute

# semanage permissve -a mail_munin_plugin_t

and re-test to collect all AVC msgs. Thank you.

Then execute

# semanage permissve -d mail_munin_plugin_t
Comment 6 Till Maas 2013-01-02 16:55:36 UTC 
Is there an easy way to get the list of all AVC messages that have not yet been reported?

(In reply to comment #5)
> Till,
> could you execute
> 
> # semanage permissve -a mail_munin_plugin_t
> 
> and re-test to collect all AVC msgs. Thank you.

----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.616:9084): arch=c000003e syscall=41 success=yes exit=3 a0=2 a1=1 a2=0 a3=15 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.616:9084): avc:  denied  { create } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=tcp_socket
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.617:9085): arch=c000003e syscall=2 success=yes exit=3 a0=7ff0fe1cf36e a1=80000 a2=1b6 a3=238 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.617:9085): avc:  denied  { open } for  pid=16887 comm="postconf" path="/etc/resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1357145550.617:9085): avc:  denied  { read } for  pid=16887 comm="postconf" name="resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.617:9086): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff093a8f90 a2=7fff093a8f90 a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.617:9086): avc:  denied  { getattr } for  pid=16887 comm="postconf" path="/etc/resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.618:9087): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=3 a2=0 a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.618:9087): avc:  denied  { create } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_route_socket
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.618:9088): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=7fff093ab820 a2=c a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.618:9088): avc:  denied  { bind } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_route_socket
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.618:9089): arch=c000003e syscall=51 success=yes exit=0 a0=3 a1=7fff093ab820 a2=7fff093ab81c a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.618:9089): avc:  denied  { getattr } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_route_socket
----
time->Wed Jan  2 17:52:30 2013
type=SYSCALL msg=audit(1357145550.618:9090): arch=c000003e syscall=44 success=yes exit=20 a0=3 a1=7fff093ab7a0 a2=14 a3=0 items=0 ppid=16886 pid=16887 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145550.618:9090): avc:  denied  { nlmsg_read } for  pid=16887 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_route_socket
Comment 7 Till Maas 2013-01-02 16:57:42 UTC 
Here are some more:
time->Wed Jan  2 17:55:47 2013 
type=SYSCALL msg=audit(1357145747.350:9096): arch=c000003e syscall=41 success=yes exit=3 a0=2 a1=1 a2=0 a3=15 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid
=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.350:9096): avc:  denied  { create } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=tcp_soc
ket
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.368:9097): arch=c000003e syscall=2 success=yes exit=3 a0=7fb2a73e036e a1=80000 a2=1b6 a3=238 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid
=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.368:9097): avc:  denied  { open } for  pid=17614 comm="postconf" path="/etc/resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:ob
ject_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1357145747.368:9097): avc:  denied  { read } for  pid=17614 comm="postconf" name="resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:object_
r:net_conf_t:s0 tclass=file
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.368:9098): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff74ba6670 a2=7fff74ba6670 a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 e
gid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.368:9098): avc:  denied  { getattr } for  pid=17614 comm="postconf" path="/etc/resolv.conf" dev="dm-1" ino=134704 scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u
:object_r:net_conf_t:s0 tclass=file
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.369:9099): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=3 a2=0 a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgid=99 fsgid
=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.369:9099): avc:  denied  { create } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink
_route_socket
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.371:9100): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=7fff74ba8f00 a2=c a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 sgi
d=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.371:9100): avc:  denied  { bind } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlink_r
oute_socket
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.371:9101): arch=c000003e syscall=51 success=yes exit=0 a0=3 a1=7fff74ba8f00 a2=7fff74ba8efc a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 
egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.371:9101): avc:  denied  { getattr } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=netlin
k_route_socket
----
time->Wed Jan  2 17:55:47 2013
type=SYSCALL msg=audit(1357145747.371:9102): arch=c000003e syscall=44 success=yes exit=20 a0=3 a1=7fff74ba8e80 a2=14 a3=0 items=0 ppid=17613 pid=17614 auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=99 s
gid=99 fsgid=99 tty=(none) ses=4294967295 comm="postconf" exe="/usr/sbin/postconf" subj=system_u:system_r:mail_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145747.371:9102): avc:  denied  { nlmsg_read } for  pid=17614 comm="postconf" scontext=system_u:system_r:mail_munin_plugin_t:s0 tcontext=system_u:system_r:mail_munin_plugin_t:s0 tclass=net
link_route_socket
----
time->Wed Jan  2 17:55:51 2013
type=SYSCALL msg=audit(1357145751.362:9104): arch=c000003e syscall=4 success=no exit=-13 a0=1d28ec0 a1=7fffeebb9990 a2=7fffeebb9990 a3=b items=0 ppid=17800 pid=17801 auid=4294967295 uid=99 gid=99 euid=99 suid=99
 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="sntp.sh" exe="/usr/bin/bash" subj=system_u:system_r:services_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145751.362:9104): avc:  denied  { getattr } for  pid=17801 comm="sntp.sh" path="/usr/sbin/sntp" dev="dm-1" ino=195911 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_
u:object_r:ntpdate_exec_t:s0 tclass=file
----
time->Wed Jan  2 17:55:51 2013
type=SYSCALL msg=audit(1357145751.361:9103): arch=c000003e syscall=4 success=no exit=-13 a0=1d28ec0 a1=7fffeebb9990 a2=7fffeebb9990 a3=f items=0 ppid=17800 pid=17801 auid=4294967295 uid=99 gid=99 euid=99 suid=99
 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm="sntp.sh" exe="/usr/bin/bash" subj=system_u:system_r:services_munin_plugin_t:s0 key=(null)
type=AVC msg=audit(1357145751.361:9103): avc:  denied  { getattr } for  pid=17801 comm="sntp.sh" path="/usr/sbin/sntp" dev="dm-1" ino=195911 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_
u:object_r:ntpdate_exec_t:s0 tclass=file
Comment 8 Miroslav Grepl 2013-01-03 09:16:20 UTC 
Thank you for testing. I added fixes.
Comment 9 Fedora Update System 2013-01-03 13:05:32 UTC 
selinux-policy-3.10.0-166.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17
Comment 10 Fedora Update System 2013-01-05 06:37:35 UTC 
Package selinux-policy-3.10.0-166.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2013-01-07 03:57:29 UTC 
selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.