munin-run has other SELinux privileges as munin-node

[Gabriele Pohl]

Hi Kurt,

thanks for your detailed answer!

On Mon, 2010-04-12 at 23:34 +0200, pbdlists at pinboard.com wrote:
> Your 1st question:
> > and get "Unknown" values, when I fetch the 
> > values from munin-node by master via telnet:
> > After setting SELinux mode to *permissive*
> > it worked
>  
> The port 4949, which munin-node uses, does have its own security label.

This is _not_ an issue of the telnet connection, as on 
this way I get reasonable values from many other plugins.

The problem is a different behaviour if
the plugin is executed by munin-node (the daemon)
and munin-run.

Very strange is, that I don't get avc-denials
when the fetch via munin-node fails..

I opened a bug-report on this:
https://bugzilla.redhat.com/show_bug.cgi?id=581270 

> Your 2nd question:
>  
> I think it should be possible to create some custom rule 
> so munin does get another context when logging in. 

The question is, how to change / enhance the utility 
"munin-run", which is a perl script, so that it
behaves in the same manner like "munin-node" (which is
a perl script also, but runs as daemon) in respect 
of the SELinux-restrictions.

The plugin selinux_avcstat should give the same
result when executed by "munin-run" and by "munin-node".

[QA of the standard plugins]

> I agree, SELinux issues with munin aren't a joy, but one has to remember
> that munin tries to get quite a lot of info out of the system from
> various places. And if you do want to have that secured, it is a chore.

As Fedora installs SELinux in enforcing mode
and does not warn or recommend to set it to permissive mode,
when it installs munin-node, I see it as an essential task
of the distributor to check, wether the packages
work together in the default installation.

With kind regards,

Gabriele

-- 
Dipohl ~ Creations with sense and mind
www.dipohl.com