Bug 966635 – Munin CGI graphs produce SELinux AVCs

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 966635 - Munin CGI graphs produce SELinux AVCs

Summary:	Munin CGI graphs produce SELinux AVCs

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	6.6
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-05-23 11:07 EDT by Ewoud Kohl van Wijngaarden
Modified:	2014-09-30 19:34 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	selinux-policy-3.7.19-210.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-11-21 05:29:20 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 16:39:24 EST

Groups: None (edit)

Description Ewoud Kohl van Wijngaarden 2013-05-23 11:07:44 EDT

Description of problem:
When I install munin and apache, set up CGI rendering (as opposed to cron rendering) I get SELinux AVCs and the user sees internal server errors.

Version-Release number of selected component (if applicable):
This is with munin 2.0.12-2.el6 from EPEL and selinux-policy 3.7.19-195.el6_4.5 from CentOS 6.4.

How reproducible:
Always

Steps to Reproduce:
1. Install munin and httpd
2. Set graph_strategy cgi in /etc/munin/munin.conf
3. Wait for the cronjob to generate the configuration
4. Visit http://localhost/munin

Actual results:
Loading the graphs results in internal server errors and SELinux AVCs while running in permissive mode works.

Expected results:
Present the user with working graphs.

Additional info:
It might be needed to also create /var/log/munin/munin-cgi-graph.log and allow the apache user to write to it.

The following AVCs are generated:

type=AVC msg=audit(1369320960.617:524): avc:  denied  { search } for  pid=14661 comm="munin-cgi-graph" name="munin" dev=dm-0 ino=394257 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1369320960.617:524): avc:  denied  { getattr } for  pid=14661 comm="munin-cgi-graph" path="/var/lib/munin/datafile.storable" dev=dm-0 ino=395298 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320960.618:525): avc:  denied  { read } for  pid=14661 comm="munin-cgi-graph" name="datafile.storable" dev=dm-0 ino=395298 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320960.618:525): avc:  denied  { open } for  pid=14661 comm="munin-cgi-graph" name="datafile.storable" dev=dm-0 ino=395298 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320960.619:526): avc:  denied  { ioctl } for  pid=14661 comm="munin-cgi-graph" path="/var/lib/munin/datafile.storable" dev=dm-0 ino=395298 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320960.626:527): avc:  denied  { search } for  pid=14661 comm="munin-cgi-graph" name="munin" dev=dm-0 ino=394743 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=dir
type=AVC msg=audit(1369320960.627:528): avc:  denied  { open } for  pid=14661 comm="munin-cgi-graph" name="munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320960.627:529): avc:  denied  { ioctl } for  pid=14661 comm="munin-cgi-graph" path="/var/log/munin/munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320960.652:530): avc:  denied  { setattr } for  pid=14661 comm="munin-cgi-graph" name="fontconfig" dev=dm-0 ino=394377 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir

There is also the httpd_munin_script_exec_t which I would expect to be used by /var/www/cgi-bin/munin-cgi-{graph,html}, but they are httpd_sys_script_exec_t. Changing munin-cgi-graph to httpd_munin_script_exec_t results in the following AVCs.

type=AVC msg=audit(1369320890.097:504): avc:  denied  { search } for  pid=14266 comm="munin-cgi-graph" name="lib" dev=dm-0 ino=393218 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1369320890.097:504): avc:  denied  { search } for  pid=14266 comm="munin-cgi-graph" name="munin" dev=dm-0 ino=394257 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1369320890.097:504): avc:  denied  { getattr } for  pid=14266 comm="munin-cgi-graph" path="/var/lib/munin/datafile.storable" dev=dm-0 ino=395299 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320890.098:505): avc:  denied  { read } for  pid=14266 comm="munin-cgi-graph" name="datafile.storable" dev=dm-0 ino=395299 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320890.098:505): avc:  denied  { open } for  pid=14266 comm="munin-cgi-graph" name="datafile.storable" dev=dm-0 ino=395299 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320890.099:506): avc:  denied  { ioctl } for  pid=14266 comm="munin-cgi-graph" path="/var/lib/munin/datafile.storable" dev=dm-0 ino=395299 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file
type=AVC msg=audit(1369320890.106:507): avc:  denied  { search } for  pid=14266 comm="munin-cgi-graph" name="munin" dev=dm-0 ino=394743 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=dir
type=AVC msg=audit(1369320890.106:507): avc:  denied  { getattr } for  pid=14266 comm="munin-cgi-graph" path="/var/log/munin/munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320890.106:508): avc:  denied  { append } for  pid=14266 comm="munin-cgi-graph" name="munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320890.106:508): avc:  denied  { open } for  pid=14266 comm="munin-cgi-graph" name="munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320890.107:509): avc:  denied  { ioctl } for  pid=14266 comm="munin-cgi-graph" path="/var/log/munin/munin-cgi-graph.log" dev=dm-0 ino=394158 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_log_t:s0 tclass=file
type=AVC msg=audit(1369320890.117:510): avc:  denied  { search } for  pid=14266 comm="munin-cgi-graph" name="munin-cgi-graph" dev=dm-0 ino=394650 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.117:510): avc:  denied  { getattr } for  pid=14266 comm="munin-cgi-graph" path="/var/tmp/munin-cgi-graph/oxilion/munin-1546.oxilion/df-day.png" dev=dm-0 ino=394850 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.118:511): avc:  denied  { write } for  pid=14266 comm="munin-cgi-graph" name="munin-1546.oxilion" dev=dm-0 ino=395052 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.118:511): avc:  denied  { remove_name } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394850 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.118:511): avc:  denied  { unlink } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394850 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.123:512): avc:  denied  { getattr } for  pid=14266 comm="munin-cgi-graph" path="/var/tmp/munin-cgi-graph/oxilion/munin-1546.oxilion" dev=dm-0 ino=395052 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.134:513): avc:  denied  { setattr } for  pid=14266 comm="munin-cgi-graph" name="fontconfig" dev=dm-0 ino=394377 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir
type=AVC msg=audit(1369320890.161:514): avc:  denied  { add_name } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=AVC msg=audit(1369320890.161:514): avc:  denied  { create } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.161:514): avc:  denied  { write open } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394849 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.192:515): avc:  denied  { setattr } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394849 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.193:516): avc:  denied  { read } for  pid=14266 comm="munin-cgi-graph" name="df-day.png" dev=dm-0 ino=394849 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1369320890.193:517): avc:  denied  { ioctl } for  pid=14266 comm="munin-cgi-graph" path="/var/tmp/munin-cgi-graph/oxilion/munin-1546.oxilion/df-day.png" dev=dm-0 ino=394849 scontext=unconfined_u:system_r:httpd_munin_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file

As a workaround I changed the CGI files to httpd_munin_script_exec_t and run httpd_munin_script_t in permissive mode.

Comment 1 d. johnson 2013-05-29 16:43:53 EDT

Where munin writes to should likely be labeled httpd_munin_rw_content_t

The CGI files should likely be httpd_munin_script_t

Assigning to selinux-policy for their input.

Comment 3 Miroslav Grepl 2013-05-30 08:31:24 EDT

Yes, we need to back port fixes from Fedora.

Comment 10 errata-xmlrpc 2013-11-21 05:29:20 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.