FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-09-2010, 12:44 PM
Gabriele Pohl
 
Default munin-run has other SELinux privileges as munin-node

Hi,

some sentences on the background of the
question I will ask below:

"munin-run" is a utility delivered with the
package "munin-node". Its purpose is testing
the execution of munin plugins in an environment
that is equate to the execution when called by
daemon "munin-node".

When exploring the new Munin version 1.4.4
on Fedora Core 12 I found out, that this
does not work in sense of testing
"SELinux-Privileges".

I got reasonable values from a plugin,
when I run it on the node:

----- 8< -----
# munin-run selinux_avcstat
lookups.value 25863367
hits.value 25837715
misses.value 25652
allocations.value 25657
reclaims.value 24624
frees.value 25156
----- >8 -----

and get "Unknown" values, when I fetch the
values from munin-node by master via telnet:

----- 8< -----
# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value U
hits.value U
misses.value U
allocations.value U
reclaims.value U
frees.value U
.
----- >8 -----

After setting SELinux mode to *permissive*
it worked also for the munin-node:

# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value 33223592
hits.value 33194702
misses.value 28890
allocations.value 28900
reclaims.value 27856
frees.value 28392
.

Now my question:

1. Why was it possible to get values (read
the file: /selinux/avc/cache_stats)
when calling the plugin with munin-run
and also directly under user "munin"

----- 8< -----
sudo -u munin /etc/munin/plugins/selinux_avcstat
lookups.value 29744406
hits.value 29717050
misses.value 27356
allocations.value 27361
reclaims.value 26320
frees.value 26852
----- >8 -----

but not for "munin-node"?

Because this is a daemon?

2. Is it possible to create a tool
"munin-run" that is able to test the
SELinux issues for munin-node also?

3. What rule will I have to add to my
Munin Policy to allow munin-node to read
the file /selinux/avc/cache_stats?

4. I there no QA on munins standard plugin
collection delivered by Fedora?

These SELinux issues one gets everytime with the
Munin-Packages are really annoying..

*sigh* and best regards,

Gabriele

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-12-2010, 09:34 PM
 
Default munin-run has other SELinux privileges as munin-node

Hi Gabriele,

Your 1st question:

The port 4949, which munin-node uses, does have its own security label.
All connections through that port get that label:
# semanage port -l | grep 4949
munin_port_t tcp 4949
munin_port_t udp 4949

There are, however, no special rules for the user munin, when it logs
in:
# semanage user -l | grep munin
# semanage login -l | grep munin

Your 2nd question:

I think it should be possible to create some custom rule so munin does
get another context when logging in. But neither do I do enough SELinux
tweaking to know how exactly to do that, nor do I think it would be wise
to fiddle that way. Creating some boolean to switch things on and off
might be preferrable.

Your 3rd question:

Again, I don't do enough SELinux work to answer this from the top of my
head or without looking at the exact selinux messages. Have a look at
the avc messages in /var/log/audit/audit.log. From there, the following
(untested and surely not really working) snippet might at least be some
starting point to get you started in the right direction:


policy_module(test,0.0.1)

require {
type munin_t;
type security_t;
};

allow munin_t security_t : dir { search read } ;

I agree, SELinux issues with munin aren't a joy, but one has to remember
that munin tries to get quite a lot of info out of the system from
various places. And if you do want to have that secured, it is a chore.

Hope this helps somewhat to get you onto the right track.

Cheers,

Kurt

On Fri, Apr 09, 2010 at 02:44:47PM +0200, Gabriele Pohl wrote:
> Hi,
>
> some sentences on the background of the
> question I will ask below:
>
> "munin-run" is a utility delivered with the
> package "munin-node". Its purpose is testing
> the execution of munin plugins in an environment
> that is equate to the execution when called by
> daemon "munin-node".
>
> When exploring the new Munin version 1.4.4
> on Fedora Core 12 I found out, that this
> does not work in sense of testing
> "SELinux-Privileges".
>
> I got reasonable values from a plugin,
> when I run it on the node:
>
> ----- 8< -----
> # munin-run selinux_avcstat
> lookups.value 25863367
> hits.value 25837715
> misses.value 25652
> allocations.value 25657
> reclaims.value 24624
> frees.value 25156
> ----- >8 -----
>
> and get "Unknown" values, when I fetch the
> values from munin-node by master via telnet:
>
> ----- 8< -----
> # telnet localhost 4949
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> # munin node at localhost
> fetch selinux_avcstat
> lookups.value U
> hits.value U
> misses.value U
> allocations.value U
> reclaims.value U
> frees.value U
> .
> ----- >8 -----
>
> After setting SELinux mode to *permissive*
> it worked also for the munin-node:
>
> # telnet localhost 4949
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> # munin node at localhost
> fetch selinux_avcstat
> lookups.value 33223592
> hits.value 33194702
> misses.value 28890
> allocations.value 28900
> reclaims.value 27856
> frees.value 28392
> .
>
> Now my question:
>
> 1. Why was it possible to get values (read
> the file: /selinux/avc/cache_stats)
> when calling the plugin with munin-run
> and also directly under user "munin"
>
> ----- 8< -----
> sudo -u munin /etc/munin/plugins/selinux_avcstat
> lookups.value 29744406
> hits.value 29717050
> misses.value 27356
> allocations.value 27361
> reclaims.value 26320
> frees.value 26852
> ----- >8 -----
>
> but not for "munin-node"?
>
> Because this is a daemon?
>
> 2. Is it possible to create a tool
> "munin-run" that is able to test the
> SELinux issues for munin-node also?
>
> 3. What rule will I have to add to my
> Munin Policy to allow munin-node to read
> the file /selinux/avc/cache_stats?
>
> 4. I there no QA on munins standard plugin
> collection delivered by Fedora?
>
> These SELinux issues one gets everytime with the
> Munin-Packages are really annoying..
>
> *sigh* and best regards,
>
> Gabriele
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-13-2010, 08:14 PM
Gabriele Pohl
 
Default munin-run has other SELinux privileges as munin-node

Hi Kurt,

thanks for your detailed answer!

On Mon, 2010-04-12 at 23:34 +0200, pbdlists@pinboard.com wrote:
> Your 1st question:
> > and get "Unknown" values, when I fetch the
> > values from munin-node by master via telnet:
> > After setting SELinux mode to *permissive*
> > it worked
>
> The port 4949, which munin-node uses, does have its own security label.

This is _not_ an issue of the telnet connection, as on
this way I get reasonable values from many other plugins.

The problem is a different behaviour if
the plugin is executed by munin-node (the daemon)
and munin-run.

Very strange is, that I don't get avc-denials
when the fetch via munin-node fails..

I opened a bug-report on this:
https://bugzilla.redhat.com/show_bug.cgi?id=581270

> Your 2nd question:
>
> I think it should be possible to create some custom rule
> so munin does get another context when logging in.

The question is, how to change / enhance the utility
"munin-run", which is a perl script, so that it
behaves in the same manner like "munin-node" (which is
a perl script also, but runs as daemon) in respect
of the SELinux-restrictions.

The plugin selinux_avcstat should give the same
result when executed by "munin-run" and by "munin-node".

[QA of the standard plugins]

> I agree, SELinux issues with munin aren't a joy, but one has to remember
> that munin tries to get quite a lot of info out of the system from
> various places. And if you do want to have that secured, it is a chore.

As Fedora installs SELinux in enforcing mode
and does not warn or recommend to set it to permissive mode,
when it installs munin-node, I see it as an essential task
of the distributor to check, wether the packages
work together in the default installation.

With kind regards,

Gabriele

--
Dipohl ~ Creations with sense and mind
www.dipohl.com

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 04:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org