munin-run has other SELinux privileges as munin-node
Gabriele Pohl
gp at dipohl.com
Fri Apr 9 12:44:47 UTC 2010
Hi,
some sentences on the background of the
question I will ask below:
"munin-run" is a utility delivered with the
package "munin-node". Its purpose is testing
the execution of munin plugins in an environment
that is equate to the execution when called by
daemon "munin-node".
When exploring the new Munin version 1.4.4
on Fedora Core 12 I found out, that this
does not work in sense of testing
"SELinux-Privileges".
I got reasonable values from a plugin,
when I run it on the node:
----- 8< -----
# munin-run selinux_avcstat
lookups.value 25863367
hits.value 25837715
misses.value 25652
allocations.value 25657
reclaims.value 24624
frees.value 25156
----- >8 -----
and get "Unknown" values, when I fetch the
values from munin-node by master via telnet:
----- 8< -----
# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value U
hits.value U
misses.value U
allocations.value U
reclaims.value U
frees.value U
.
----- >8 -----
After setting SELinux mode to *permissive*
it worked also for the munin-node:
# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value 33223592
hits.value 33194702
misses.value 28890
allocations.value 28900
reclaims.value 27856
frees.value 28392
.
Now my question:
1. Why was it possible to get values (read
the file: /selinux/avc/cache_stats)
when calling the plugin with munin-run
and also directly under user "munin"
----- 8< -----
sudo -u munin /etc/munin/plugins/selinux_avcstat
lookups.value 29744406
hits.value 29717050
misses.value 27356
allocations.value 27361
reclaims.value 26320
frees.value 26852
----- >8 -----
but not for "munin-node"?
Because this is a daemon?
2. Is it possible to create a tool
"munin-run" that is able to test the
SELinux issues for munin-node also?
3. What rule will I have to add to my
Munin Policy to allow munin-node to read
the file /selinux/avc/cache_stats?
4. I there no QA on munins standard plugin
collection delivered by Fedora?
These SELinux issues one gets everytime with the
Munin-Packages are really annoying..
*sigh* and best regards,
Gabriele
More information about the selinux
mailing list