Description of problem: This happened after I started accessing munin via httpd. SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory munin. ***** Plugin catchall (100. confidence) suggests *************************** If sie denken, dass httpd standardmässig erlaubt sein sollte, search Zugriff auf munin directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:munin_etc_t:s0 Target Objects munin [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unbekannt> Host (removed) Source RPM Packages httpd-2.2.22-4.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-161.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.6.9-2.fc17.x86_64 #1 SMP Tue Dec 4 13:26:04 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-12-13 08:59:06 CET Last Seen 2012-12-13 08:59:06 CET Local ID 13679204-a5dd-4f80-a011-0535536e6e6f Raw Audit Messages type=AVC msg=audit(1355385546.25:3856): avc: denied { search } for pid=30099 comm="httpd" name="munin" dev="dm-2" ino=799418 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1355385546.25:3856): arch=x86_64 syscall=open success=no exit=EACCES a0=7f0ccffa4408 a1=80000 a2=1b6 a3=0 items=0 ppid=30098 pid=30099 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,munin_etc_t,dir,search audit2allow #============= httpd_t ============== allow httpd_t munin_etc_t:dir search; audit2allow -R #============= httpd_t ============== allow httpd_t munin_etc_t:dir search; Additional info: hashmarkername: setroubleshoot kernel: 3.6.9-2.fc17.x86_64 type: libreport
Is there a php munin script?
(In reply to comment #1) > Is there a php munin script? There is a cgi written in perl, but I believe it was not installed at the time of the denial message.
Here are some additional AVCs that I see: time->Thu Jan 10 18:05:02 2013 type=SYSCALL msg=audit(1357837502.195:12105): arch=c000003e syscall=4 success=no exit=-13 a0=15a2b90 a1=11e3138 a2=11e3138 a3=20 items=0 ppid=4716 pid=19740 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="munin-cgi-html" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1357837502.195:12105): avc: denied { search } for pid=19740 comm="munin-cgi-html" name="munin" dev="dm-1" ino=799418 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=dir ---- time->Thu Jan 10 18:05:02 2013 type=SYSCALL msg=audit(1357837502.195:12106): arch=c000003e syscall=4 success=no exit=-13 a0=15a2b90 a1=11e3138 a2=11e3138 a3=20 items=0 ppid=4716 pid=19740 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="munin-cgi-html" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1357837502.195:12106): avc: denied { search } for pid=19740 comm="munin-cgi-html" name="munin" dev="dm-1" ino=799418 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=dir ---- time->Thu Jan 10 18:05:02 2013 type=SYSCALL msg=audit(1357837502.195:12107): arch=c000003e syscall=4 success=no exit=-13 a0=15a2b90 a1=11e3138 a2=11e3138 a3=0 items=0 ppid=4716 pid=19740 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="munin-cgi-html" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1357837502.195:12107): avc: denied { search } for pid=19740 comm="munin-cgi-html" name="munin" dev="dm-1" ino=676520 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir
Could you test it in permissive to see more AVC msgs?
Created attachment 677260 [details] a collection of several avcs Here are maybe several more. These are created in permissive mode, but the cgi support of munin is not working here, because it seems to be broken in the fedora package. Is there some easy way to keep track of which avcs are new and which have been reported already? I thought the sealert applet did this, but I cannot find any trace of this currently. I created the list with: ausearch -m avc -ts recent But better tools to properly manage avcs (especially the ones from munin, as they appear every 10 minutes) would be very welcome.
Thank you for testing. Added a fix. commit 17f1c551fd1af3b98a5df03347c562e21948287e Author: Miroslav Grepl <mgrepl> Date: Mon Jan 14 11:41:45 2013 +0100 Allow httpd_t to read munin conf files commit 8f6c5cc2bf10358a051672dedf2113847d1886d2 Author: Miroslav Grepl <mgrepl> Date: Mon Jan 14 11:41:13 2013 +0100 Add additional labeling for munin cgi scripts
selinux-policy-3.10.0-167.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-167.fc17
Package selinux-policy-3.10.0-167.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-167.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1971/selinux-policy-3.10.0-167.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-167.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.