Hi Kurt,
thanks for your detailed answer!
On Mon, 2010-04-12 at 23:34 +0200, pbdlists(a)pinboard.com wrote:
Your 1st question:
> and get "Unknown" values, when I fetch the
> values from munin-node by master via telnet:
> After setting SELinux mode to *permissive*
> it worked
The port 4949, which munin-node uses, does have its own security label.
This is _not_ an issue of the telnet connection, as on
this way I get reasonable values from many other plugins.
The problem is a different behaviour if
the plugin is executed by munin-node (the daemon)
and munin-run.
Very strange is, that I don't get avc-denials
when the fetch via munin-node fails..
I opened a bug-report on this:
https://bugzilla.redhat.com/show_bug.cgi?id=581270
Your 2nd question:
I think it should be possible to create some custom rule
so munin does get another context when logging in.
The question is, how to change / enhance the utility
"munin-run", which is a perl script, so that it
behaves in the same manner like "munin-node" (which is
a perl script also, but runs as daemon) in respect
of the SELinux-restrictions.
The plugin selinux_avcstat should give the same
result when executed by "munin-run" and by "munin-node".
[QA of the standard plugins]
I agree, SELinux issues with munin aren't a joy, but one has to
remember
that munin tries to get quite a lot of info out of the system from
various places. And if you do want to have that secured, it is a chore.
As Fedora installs SELinux in enforcing mode
and does not warn or recommend to set it to permissive mode,
when it installs munin-node, I see it as an essential task
of the distributor to check, wether the packages
work together in the default installation.
With kind regards,
Gabriele
--
Dipohl ~ Creations with sense and mind
www.dipohl.com