munin-run has other SELinux privileges as munin-node

pbdlists at pinboard.com pbdlists at pinboard.com
Mon Apr 12 21:34:10 UTC 2010 

Hi Gabriele,
 
Your 1st question:
 
The port 4949, which munin-node uses, does have its own security label.
All connections through that port get that label:
  # semanage port -l | grep 4949
  munin_port_t                   tcp      4949
  munin_port_t                   udp      4949
 
There are, however, no special rules for the user munin, when it logs
in:
  # semanage user -l | grep munin
  # semanage login -l | grep munin
 
Your 2nd question:
 
I think it should be possible to create some custom rule so munin does
get another context when logging in. But neither do I do enough SELinux
tweaking to know how exactly to do that, nor do I think it would be wise
to fiddle that way. Creating some boolean to switch things on and off
might be preferrable.
 
Your 3rd question:
 
Again, I don't do enough SELinux work to answer this from the top of my
head or without looking at the exact selinux messages. Have a look at
the avc messages in /var/log/audit/audit.log. From there, the following
(untested and surely not really working) snippet might at least be some
starting point to get you started in the right direction:
 
 
  policy_module(test,0.0.1)

  require {
          type munin_t;
          type security_t;
  };

  allow munin_t security_t : dir { search read } ;

I agree, SELinux issues with munin aren't a joy, but one has to remember
that munin tries to get quite a lot of info out of the system from
various places. And if you do want to have that secured, it is a chore.
 
Hope this helps somewhat to get you onto the right track.
 
Cheers,
 
Kurt

On Fri, Apr 09, 2010 at 02:44:47PM +0200, Gabriele Pohl wrote:
> Hi,
> 
> some sentences on the background of the 
> question I will ask below:
> 
> "munin-run" is a utility delivered with the
> package "munin-node". Its purpose is testing
> the execution of munin plugins in an environment
> that is equate to the execution when called by 
> daemon "munin-node".
> 
> When exploring the new Munin version 1.4.4 
> on Fedora Core 12 I found out, that this 
> does not work in sense of testing 
> "SELinux-Privileges".
> 
> I got reasonable values from a plugin, 
> when I run it on the node:
> 
> ----- 8< -----
> # munin-run selinux_avcstat 
> lookups.value 25863367
> hits.value 25837715
> misses.value 25652
> allocations.value 25657
> reclaims.value 24624
> frees.value 25156
> ----- >8 -----
> 
> and get "Unknown" values, when I fetch the 
> values from munin-node by master via telnet:
> 
> ----- 8< -----
> # telnet localhost 4949
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> # munin node at localhost
> fetch selinux_avcstat
> lookups.value U
> hits.value U
> misses.value U
> allocations.value U
> reclaims.value U
> frees.value U
> .
> ----- >8 -----
> 
> After setting SELinux mode to *permissive*
> it worked also for the munin-node:
> 
> # telnet localhost 4949
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> # munin node at localhost
> fetch selinux_avcstat
> lookups.value 33223592
> hits.value 33194702
> misses.value 28890
> allocations.value 28900
> reclaims.value 27856
> frees.value 28392
> .
> 
> Now my question:
> 
> 1. Why was it possible to get values (read
> the file: /selinux/avc/cache_stats)
> when calling the plugin with munin-run
> and also directly under user "munin"
> 
> ----- 8< -----
> sudo -u munin /etc/munin/plugins/selinux_avcstat 
> lookups.value 29744406
> hits.value 29717050
> misses.value 27356
> allocations.value 27361
> reclaims.value 26320
> frees.value 26852
> ----- >8 -----
> 
> but not for "munin-node"?
> 
> Because this is a daemon?
> 
> 2. Is it possible to create a tool
> "munin-run" that is able to test the
> SELinux issues for munin-node also?
> 
> 3. What rule will I have to add to my
> Munin Policy to allow munin-node to read 
> the file /selinux/avc/cache_stats?
> 
> 4. I there no QA on munins standard plugin
> collection delivered by Fedora?
> 
> These SELinux issues one gets everytime with the
> Munin-Packages are really annoying..
> 
> *sigh* and best regards,
> 
> Gabriele
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list