Description of problem: Several munin plugins create an avc denials and do not work. While there is Builtin Permissive Types selinux_munin_plugin_t actual AVC do have system_munin_plugin_t or services_munin_plugin_t I am not sure how far this is the problem. The file system should be relabeled. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-167.fc17.noarch Actual results: [ 6989.187896] type=1400 audit(1361197804.209:454): avc: denied { read } for pid=9686 comm="uptime" name="plugin.sh" dev="dm-0" ino=263395 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:unconfined_munin_plugin_exec_t:s0 tclass=file [ 6989.241746] type=1400 audit(1361197804.263:455): avc: denied { read } for pid=9689 comm="uptime" name="plugin.sh" dev="dm-0" ino=263395 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:unconfined_munin_plugin_exec_t:s0 tclass=file [ 7009.564660] audit_printk_skb: 6 callbacks suppressed [ 7009.564752] type=1400 audit(1361197824.586:458): avc: denied { read } for pid=9827 comm="cpu" name="plugin.sh" dev="dm-0" ino=263395 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:unconfined_munin_plugin_exec_t:s0 tclass=file [ 7009.622423] type=1400 audit(1361197824.644:459): avc: denied { read } for pid=9828 comm="cpu" name="plugin.sh" dev="dm-0" ino=263395 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:unconfined_munin_plugin_exec_t:s0 tclass=file [ 7009.676561] type=1400 audit(1361197824.698:460): avc: denied { read } for pid=9829 comm="if_eth1" name="plugin.sh" dev="dm-0" ino=263395 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:unconfined_munin_plugin_exec_t:s0 tclass=file [ 7009.752204] type=1400 audit(1361197824.774:461): avc: denied { read } for pid=9842 comm="if_eth1" name="plugin.sh" dev="dm-0" ino=263395 scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:object_r:unconfined_munin_plugin_exec_t:s0 tclass=file [ 7010.038197] type=1400 audit(1361197825.060:462): avc: denied { read } for pid=9847 comm="ping_10.101.13." name="plugin.sh" dev="dm-0" ino=263395 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:unconfined_munin_plugin_exec_t:s0 tclass=file [ 7010.095689] type=1400 audit(1361197825.117:463): avc: denied { read } for pid=9848 comm="ping_10.101.13." name="plugin.sh" dev="dm-0" ino=263395 scontext=system_u:system_r:services_munin_plugin_t:s0 tcontext=system_u:object_r:unconfined_munin_plugin_exec_t:s0 tclass=
If you execute # chcon -t bin_t PATHTO/plugin.sh
ls -Z /usr/share/munin/plugins/plugin.sh -rw-r--r--. root root system_u:object_r:unconfined_munin_plugin_exec_t:s0 /usr/share/munin/plugins/plugin.sh With this chcon change the munin works, restorecond reverts it back to unconfined...
Yes, we need to add it to the policy.
selinux-policy-3.10.0-168.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-168.fc17
Package selinux-policy-3.10.0-168.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-168.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-3466/selinux-policy-3.10.0-168.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-169.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-169.fc17
selinux-policy-3.10.0-169.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.