Description of problem: I had installed munin on my fedora 18. I got this selinux alert. Munin doesn't work. SELinux is preventing /usr/bin/perl from using the 'execmem' accesses on a process. ***** Plugin catchall (100. confidence) suggests *************************** If jeśli perl powinno mieć domyślnie execmem dostęp do procesów z etykietami munin_t. Then proszę to zgłosić jako błąd. Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp. Do można tymczasowo zezwolić na ten dostęp wykonując polecenia: # grep munin-update /var/log/audit/audit.log | audit2allow -M mojapolityka # semodule -i mojapolityka.pp Additional Information: Source Context system_u:system_r:munin_t:s0-s0:c0.c1023 Target Context system_u:system_r:munin_t:s0-s0:c0.c1023 Target Objects [ process ] Source munin-update Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.16.2-238.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-79.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.8-202.fc18.x86_64 #1 SMP Fri Feb 15 17:33:07 UTC 2013 x86_64 x86_64 Alert Count 81 First Seen 2013-02-20 02:10:11 CET Last Seen 2013-02-20 22:20:01 CET Local ID 545e8488-cbf1-4b98-855d-f4afb8a29172 Raw Audit Messages type=AVC msg=audit(1361395201.535:355): avc: denied { execmem } for pid=13369 comm="munin-update" scontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tcontext=system_u:system_r:munin_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1361395201.535:355): arch=x86_64 syscall=mmap success=no exit=EACCES a0=321c8ca000 a1=3d000 a2=7 a3=812 items=0 ppid=13368 pid=13369 auid=990 uid=990 gid=987 euid=990 suid=990 fsuid=990 egid=987 sgid=987 fsgid=987 ses=28 tty=(none) comm=munin-update exe=/usr/bin/perl subj=system_u:system_r:munin_t:s0-s0:c0.c1023 key=(null) Hash: munin-update,munin_t,munin_t,process,execmem audit2allow #============= munin_t ============== allow munin_t self:process execmem; audit2allow -R #============= munin_t ============== allow munin_t self:process execmem; Additional info: hashmarkername: setroubleshoot kernel: 3.7.8-202.fc18.x86_64 type: libreport
Why does the munin-update want execmem?
I don't know. I only want munin and munin-node just work on my localhost machine.
Do they work other then SELinux complaining?
Yes, munin works very well - even selinux is enabled, but with this policy: module mojapolityka 1.0; require { type munin_log_t; type disk_munin_plugin_t; type mail_munin_plugin_t; type services_munin_plugin_t; type munin_etc_t; type tmp_t; type system_munin_plugin_t; type passwd_file_t; type munin_t; type sysctl_rpc_t; type httpd_munin_script_t; class process execmem; class dir { write search read remove_name create add_name }; class file { setattr read create getattr write ioctl unlink open append }; } #============= disk_munin_plugin_t ============== #!!!! This avc is allowed in the current policy allow disk_munin_plugin_t passwd_file_t:file { read open }; #============= httpd_munin_script_t ============== #!!!! This avc is allowed in the current policy allow httpd_munin_script_t munin_etc_t:dir read; #!!!! This avc is allowed in the current policy allow httpd_munin_script_t munin_log_t:dir search; allow httpd_munin_script_t munin_log_t:file append; #!!!! This avc is allowed in the current policy allow httpd_munin_script_t munin_log_t:file ioctl; #!!!! This avc is allowed in the current policy allow httpd_munin_script_t passwd_file_t:file { read getattr open }; #!!!! This avc is allowed in the current policy allow httpd_munin_script_t self:process execmem; #!!!! This avc is allowed in the current policy allow httpd_munin_script_t tmp_t:dir { write remove_name create add_name }; #!!!! This avc is allowed in the current policy allow httpd_munin_script_t tmp_t:file { write create unlink open setattr }; #============= mail_munin_plugin_t ============== #!!!! This avc is allowed in the current policy allow mail_munin_plugin_t passwd_file_t:file { read open }; #============= munin_t ============== #!!!! This avc is allowed in the current policy allow munin_t self:process execmem; #============= services_munin_plugin_t ============== #!!!! This avc is allowed in the current policy allow services_munin_plugin_t passwd_file_t:file { read open }; #============= system_munin_plugin_t ============== #!!!! This avc is allowed in the current policy allow system_munin_plugin_t passwd_file_t:file { read open }; #!!!! This avc is allowed in the current policy allow system_munin_plugin_t sysctl_rpc_t:dir search; REMARK: selinux-policy-3.11.1-82.fc18.noarch dosen't work well with munin - still some issue.
I have looked here, and I do not see where execmem is required. Can you run "ls -l /etc/munin/plugins/" so we can see which plugins you have there?
[root@localhost ~]# ls -l /etc/munin/plugins/ razem 0 lrwxrwxrwx. 1 root root 28 01-22 23:02 cpu -> /usr/share/munin/plugins/cpu lrwxrwxrwx. 1 root root 27 01-22 23:02 df -> /usr/share/munin/plugins/df lrwxrwxrwx. 1 root root 33 01-22 23:02 df_inode -> /usr/share/munin/plugins/df_inode lrwxrwxrwx. 1 root root 34 01-22 23:02 diskstats -> /usr/share/munin/plugins/diskstats lrwxrwxrwx. 1 root root 32 01-22 23:02 entropy -> /usr/share/munin/plugins/entropy lrwxrwxrwx. 1 root root 30 01-22 23:02 forks -> /usr/share/munin/plugins/forks lrwxrwxrwx. 1 root root 35 01-22 23:02 fw_packets -> /usr/share/munin/plugins/fw_packets lrwxrwxrwx. 1 root root 32 01-22 23:02 if_err_eth0 -> /usr/share/munin/plugins/if_err_ lrwxrwxrwx. 1 root root 32 01-22 23:02 if_err_eth1 -> /usr/share/munin/plugins/if_err_ lrwxrwxrwx. 1 root root 32 01-22 23:02 if_err_hso0 -> /usr/share/munin/plugins/if_err_ lrwxrwxrwx. 1 root root 32 01-22 23:02 if_err_tun0 -> /usr/share/munin/plugins/if_err_ lrwxrwxrwx. 1 root root 32 01-22 23:02 if_err_wlan0 -> /usr/share/munin/plugins/if_err_ lrwxrwxrwx. 1 root root 28 01-22 23:02 if_eth0 -> /usr/share/munin/plugins/if_ lrwxrwxrwx. 1 root root 28 01-22 23:02 if_eth1 -> /usr/share/munin/plugins/if_ lrwxrwxrwx. 1 root root 28 01-22 23:02 if_hso0 -> /usr/share/munin/plugins/if_ lrwxrwxrwx. 1 root root 28 01-22 23:02 if_tun0 -> /usr/share/munin/plugins/if_ lrwxrwxrwx. 1 root root 28 01-22 23:02 if_wlan0 -> /usr/share/munin/plugins/if_ lrwxrwxrwx. 1 root root 35 01-22 23:02 interrupts -> /usr/share/munin/plugins/interrupts lrwxrwxrwx. 1 root root 33 01-22 23:02 irqstats -> /usr/share/munin/plugins/irqstats lrwxrwxrwx. 1 root root 29 01-22 23:02 load -> /usr/share/munin/plugins/load lrwxrwxrwx. 1 root root 31 01-22 23:02 lpstat -> /usr/share/munin/plugins/lpstat lrwxrwxrwx. 1 root root 31 01-22 23:02 memory -> /usr/share/munin/plugins/memory lrwxrwxrwx. 1 root root 32 01-22 23:02 netstat -> /usr/share/munin/plugins/netstat lrwxrwxrwx. 1 root root 29 01-22 23:02 nfsd -> /usr/share/munin/plugins/nfsd lrwxrwxrwx. 1 root root 30 01-22 23:02 nfsd4 -> /usr/share/munin/plugins/nfsd4 lrwxrwxrwx. 1 root root 35 01-22 23:02 open_files -> /usr/share/munin/plugins/open_files lrwxrwxrwx. 1 root root 36 01-22 23:02 open_inodes -> /usr/share/munin/plugins/open_inodes lrwxrwxrwx. 1 root root 34 01-22 23:02 processes -> /usr/share/munin/plugins/processes lrwxrwxrwx. 1 root root 33 01-22 23:02 proc_pri -> /usr/share/munin/plugins/proc_pri lrwxrwxrwx. 1 root root 43 01-22 23:02 sendmail_mailqueue -> /usr/share/munin/plugins/sendmail_mailqueue lrwxrwxrwx. 1 root root 43 01-22 23:02 sendmail_mailstats -> /usr/share/munin/plugins/sendmail_mailstats lrwxrwxrwx. 1 root root 45 01-22 23:02 sendmail_mailtraffic -> /usr/share/munin/plugins/sendmail_mailtraffic lrwxrwxrwx. 1 root root 33 01-27 01:02 sensors_fan -> /usr/share/munin/plugins/sensors_ lrwxrwxrwx. 1 root root 33 01-27 01:01 sensors_temp -> /usr/share/munin/plugins/sensors_ lrwxrwxrwx. 1 root root 33 01-27 01:03 sensors_volt -> /usr/share/munin/plugins/sensors_ lrwxrwxrwx. 1 root root 29 01-22 23:02 swap -> /usr/share/munin/plugins/swap lrwxrwxrwx. 1 root root 32 01-22 23:02 threads -> /usr/share/munin/plugins/threads lrwxrwxrwx. 1 root root 31 01-22 23:02 uptime -> /usr/share/munin/plugins/uptime lrwxrwxrwx. 1 root root 30 01-22 23:02 users -> /usr/share/munin/plugins/users lrwxrwxrwx. 1 root root 31 01-22 23:02 vmstat -> /usr/share/munin/plugins/vmstat
That sort of narrows it down a bit. It is one of these: /usr/share/munin/plugins/lpstat /usr/share/munin/plugins/nfsd /usr/share/munin/plugins/nfsd4 /usr/share/munin/plugins/sendmail_mailqueue /usr/share/munin/plugins/sendmail_mailstats /usr/share/munin/plugins/sendmail_mailtraffic /usr/share/munin/plugins/sensors_ You can test each one by using something like: sudo -u nobody munin-run sensors_fan (Unless your plugin runs as some other user) ausearch -m avc -ts recent | grep execmem Should show up once you have run the offending plugin.
I added some fixes to -83.fc18 policy release.
Now all seems to be OK. No selinux alerts. I'm runing: selinux-policy-3.11.1-83.fc18.noarch Thanks.
Ok, thank you for testing.