at a loss with a problem: munin-node df

Daniel J Walsh dwalsh at redhat.com
Wed Mar 31 13:18:38 UTC 2010 

On 03/30/2010 06:10 PM, pbdlists at pinboard.com wrote:
> Hi all,
>
> I'm quite at a loss with this one and would be thankful if somebody
> could point out where my thinking is wrong and possibly what would be
> the most appropriate way to fix the issue.
>
> I've got a F12 machine with httpd, git and munin (server and node)
> installed. Things work fine except that munin-node gets an avc denied
> when running df.
>
> Running 'munin-run df' on the command line works fine, but telnetting to
> port 4949 and issuing the command 'fetch df', which should basically do
> the same, returns a '# Bad exit' message and the following selinux logs:
>
>    type=AVC msg=audit(1269984513.464:737891): avc:  denied  { search } for  pid=29383 comm="df" name="git" dev=vdb1 ino=918433 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:httpd_git_content_t:s0 tclass=dir
>    type=SYSCALL msg=audit(1269984513.464:737891): arch=c000003e syscall=137 success=yes exit=128 a0=b32df0 a1=7fffc9958bf0 a2=7fffc9959490 a3=3237e7ea20 items=0 ppid=29382 pid=29383 auid=0 uid=801 gid=801 euid=801 suid=801 fsuid=801 egid=801 sgid=801 fsgid=801 tty=(none) ses=13057 comm="df" exe="/bin/df" subj=unconfined_u:system_r:munin_t:s0 key=(null)
>
> user and group 801 are the munin user:
>
>    # getent passwd 801
>    munin:x:801:801:Munin user:/var/lib/munin:/sbin/nologin
>    # getent group 801
>    munin:x:801:
>
> inode 918433 is the directory /var/www/git on /dev/vd1:
>
>    # ls -ldi /var/www/git
>    918433 drwxr-xr-x. 3 root root 4096 2010-03-27 20:12 /var/www/git
>    # df -h /var/www /var/www/git/repos
>    Filesystem            Size  Used Avail Use% Mounted on
>    /dev/vdb1              20G   12G  6.8G  64% /var/www
>    /dev/vde1              20G  4.4G   15G  24% /var/www/git/repos
>
> As can be seen above, /var/www/git/repos is a mountpoint. It does have
> the same context as /var/www/git, as well as a few more items:
>
>    # find /var/www -context "system_u:object_r:httpd_git_content_t:s0" -ls
>    918433    4 drwxr-xr-x   3 root     root         4096 Mar 27 20:12 /var/www/git
>    919158    4 -rw-r--r--   1 root     root          115 Dec 24 00:00 /var/www/git/git-favicon.png
>    919159    4 -rw-r--r--   1 root     root          207 Dec 24 00:00 /var/www/git/git-logo.png
>    919161   12 -rw-r--r--   1 root     root         8379 Dec 24 00:00 /var/www/git/gitweb.css
>         2    4 dr-xr-xr-x  21 autocheckout autocheckout     4096 Feb 23 22:06 /var/www/git/repos
>        11   16 drwx------   2 root     root        16384 Feb  8 20:00 /var/www/git/repos/lost+found
>
> The port, which munin-node is listening on, is labelled with
> munin_port_t, which is, I believe, the reason things work from the
> command line but not via the network:
>
>    # semanage port -l | grep 4949
>    munin_port_t                   tcp      4949
>    munin_port_t                   udp      4949
>
> Up to here I still understand things, by connecting to port 4949 my
> connection gets the context munin_t and somehow that is not allowed
> to do a search on httpd_git_content_t. The following test-policy in
> fact would take care of this problem (tested):
>
>    policy_module(kktest,0.0.1)
>
>    require {
>            type munin_t;
>            type httpd_git_content_t;
>    };
>
>    bool allow_kktest false;
>    if (allow_kktest) {
>      allow munin_t httpd_git_content_t : dir { search } ;
>    } else {
>    };
>
> But what I simply cannot understand is why I do not get any avc
> denials, even without my test policy module, in the following two
> cases:
>
> 1) By changing the type of /var/www/git to something else,
>     like httpd_sys_content_t:
>
>       chcon -t httpd_sys_content_t /var/www/git
>
>     I still have other directories with the same type /var/www/git
>     previously had and they don't cause any problem.
>
> 2) By leaving /var/www/git at type httpd_git_content_t, which normally
>     causes the problems, but umounting the filesystem below it:
>
>      umount /var/www/git/repos
>
> What the heck am I missing? And would my test module not merely be a
> working but also a correct solution? (Guess I could answer the second
> question myself, once I get the first mistery solved.)
>
> Thanks a lot,
>
> Kurt
>
>    
df is searching through all of the toplevel mountpoint directories, df 
does not search through any of the subdirectories.

If the top level directory is labeled httpd_sys_content_t, munin_t has 
policy that allows it to search.

# sesearch -A -s munin_t -t httpd_sys_content_t -c dir
Found 2 semantic av rules:
    allow daemon httpd_sys_content_t : dir { getattr search open } ;
    allow munin_t httpd_sys_content_t : dir { getattr search open } ;

If the directory is labeled httpd_git_content_t, there is no rule to 
allow git to search.

# sesearch -A -s munin_t -t httpd_git_content_t -c dir


Your custom policy does not need a boolean.  I would just add

     allow munin_t httpd_git_content_t : dir { search getattr };

And you are done.

More information about the selinux mailing list