Bug 966635 - Munin CGI graphs produce SELinux AVCs
Munin CGI graphs produce SELinux AVCs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.6
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-23 11:07 EDT by Ewoud Kohl van Wijngaarden
Modified: 2014-09-30 19:34 EDT (History)
11 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 05:29:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ewoud Kohl van Wijngaarden 2013-05-23 11:07:44 EDT
Description of problem:
When I install munin and apache, set up CGI rendering (as opposed to cron rendering) I get SELinux AVCs and the user sees internal server errors.

Version-Release number of selected component (if applicable):
This is with munin 2.0.12-2.el6 from EPEL and selinux-policy 3.7.19-195.el6_4.5 from CentOS 6.4.

How reproducible:
Always

Steps to Reproduce:
1. Install munin and httpd
2. Set graph_strategy cgi in /etc/munin/munin.conf
3. Wait for the cronjob to generate the configuration
4. Visit http://localhost/munin

Actual results:
Loading the graphs results in internal server errors and SELinux AVCs while running in permissive mode works.

Expected results:
Present the user with working graphs.

Additional info:
It might be needed to also create /var/log/munin/munin-cgi-graph.log and allow the apache user to write to it.

The following AVCs are generated:

type=AVC msg=audit(1369320960.617:524): avc:  denied  { search } for  pid=14661 comm="munin-cgi-graph" name="munin" dev=dm-0 ino=394257 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1369320960.617:524): avc:  denied  { getattr } for  pid=14661 comm="munin-cgi-graph" path="/var/lib/munin/datafile.storable" dev=dm-0 ino=395298 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320960.618:525): avc:  denied  { read } for  pid=14661 comm="munin-cgi-graph" name="datafile.storable" dev=dm-0 ino=395298 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320960.618:525): avc:  denied  { open } for  pid=14661 comm="munin-cgi-graph" name="datafile.storable" dev=dm-0 ino=395298 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320960.619:526): avc:  denied  { ioctl } for  pid=14661 comm="munin-cgi-graph" path="/var/lib/munin/datafile.storable" dev=dm-0 ino=395298 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320960.626:527): avc:  denied  { search } for  pid=14661 comm="munin-cgi-graph" name="munin" dev=dm-0 ino=394743 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=dir
type=AVC msg=audit(1369320960.627:528): avc:  denied  { open } for  pid=14661 comm="munin-cgi-graph" name="munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320960.627:529): avc:  denied  { ioctl } for  pid=14661 comm="munin-cgi-graph" path="/var/log/munin/munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320960.652:530): avc:  denied  { setattr } for  pid=14661 comm="munin-cgi-graph" name="fontconfig" dev=dm-0 ino=394377 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir

There is also the httpd_munin_script_exec_t which I would expect to be used by /var/www/cgi-bin/munin-cgi-{graph,html}, but they are httpd_sys_script_exec_t. Changing munin-cgi-graph to httpd_munin_script_exec_t results in the following AVCs.

type=AVC msg=audit(1369320890.097:504): avc:  denied  { search } for  pid=14266 comm="munin-cgi-graph" name="lib" dev=dm-0 ino=393218 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1369320890.097:504): avc:  denied  { search } for  pid=14266 comm="munin-cgi-graph" name="munin" dev=dm-0 ino=394257 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1369320890.097:504): avc:  denied  { getattr } for  pid=14266 comm="munin-cgi-graph" path="/var/lib/munin/datafile.storable" dev=dm-0 ino=395299 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320890.098:505): avc:  denied  { read } for  pid=14266 comm="munin-cgi-graph" name="datafile.storable" dev=dm-0 ino=395299 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320890.098:505): avc:  denied  { open } for  pid=14266 comm="munin-cgi-graph" name="datafile.storable" dev=dm-0 ino=395299 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320890.099:506): avc:  denied  { ioctl } for  pid=14266 comm="munin-cgi-graph" path="/var/lib/munin/datafile.storable" dev=dm-0 ino=395299 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320890.106:507): avc:  denied  { search } for  pid=14266 comm="munin-cgi-graph" name="munin" dev=dm-0 ino=394743 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=dir
type=AVC msg=audit(1369320890.106:507): avc:  denied  { getattr } for  pid=14266 comm="munin-cgi-graph" path="/var/log/munin/munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320890.106:508): avc:  denied  { append } for  pid=14266 comm="munin-cgi-graph" name="munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320890.106:508): avc:  denied  { open } for  pid=14266 comm="munin-cgi-graph" name="munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320890.107:509): avc:  denied  { ioctl } for  pid=14266 comm="munin-cgi-graph" path="/var/log/munin/munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320890.117:510): avc:  denied  { search } for  pid=14266 comm="munin-cgi-graph" name="munin-cgi-graph" dev=dm-0 ino=394650 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.117:510): avc:  denied  { getattr } for  pid=14266 comm="munin-cgi-graph" path="/var/tmp/munin-cgi-graph/oxilion/munin-1546.oxilion/df-day.png" dev=dm-0 ino=394850 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.118:511): avc:  denied  { write } for  pid=14266 comm="munin-cgi-graph" name="munin-1546.oxilion" dev=dm-0 ino=395052 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.118:511): avc:  denied  { remove_name } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394850 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.118:511): avc:  denied  { unlink } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394850 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.123:512): avc:  denied  { getattr } for  pid=14266 comm="munin-cgi-graph" path="/var/tmp/munin-cgi-graph/oxilion/munin-1546.oxilion" dev=dm-0 ino=395052 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.134:513): avc:  denied  { setattr } for  pid=14266 comm="munin-cgi-graph" name="fontconfig" dev=dm-0 ino=394377 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir
type=AVC msg=audit(1369320890.161:514): avc:  denied  { add_name } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.161:514): avc:  denied  { create } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.161:514): avc:  denied  { write open } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394849 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.192:515): avc:  denied  { setattr } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394849 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.193:516): avc:  denied  { read } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394849 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.193:517): avc:  denied  { ioctl } for  pid=14266 comm="munin-cgi-graph" path="/var/tmp/munin-cgi-graph/oxilion/munin-1546.oxilion/df-day.png" dev=dm-0 ino=394849 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file

As a workaround I changed the CGI files to httpd_munin_script_exec_t and run httpd_munin_script_t in permissive mode.
Comment 1 d. johnson 2013-05-29 16:43:53 EDT
Where munin writes to should likely be labeled httpd_munin_rw_content_t

The CGI files should likely be httpd_munin_script_t

Assigning to selinux-policy for their input.
Comment 3 Miroslav Grepl 2013-05-30 08:31:24 EDT
Yes, we need to back port fixes from Fedora.
Comment 10 errata-xmlrpc 2013-11-21 05:29:20 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.