Hi all,
I'm quite at a loss with this one and would be thankful if somebody
could point out where my thinking is wrong and possibly what would be
the most appropriate way to fix the issue.
I've got a F12 machine with httpd, git and munin (server and node)
installed. Things work fine except that munin-node gets an avc denied
when running df.
Running 'munin-run df' on the command line works fine, but telnetting to
port 4949 and issuing the command 'fetch df', which should basically do
the same, returns a '# Bad exit' message and the following selinux logs:
type=AVC msg=audit(1269984513.464:737891): avc: denied { search } for pid=29383 comm="df" name="git" dev=vdb1 ino=918433 scontext=unconfined_u:system_r:munin_t:s0 tcontext=system_u:object_r:httpd_git_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1269984513.464:737891): arch=c000003e syscall=137 success=yes exit=128 a0=b32df0 a1=7fffc9958bf0 a2=7fffc9959490 a3=3237e7ea20 items=0 ppid=29382 pid=29383 auid=0 uid=801 gid=801 euid=801 suid=801 fsuid=801 egid=801 sgid=801 fsgid=801 tty=(none) ses=13057 comm="df" exe="/bin/df" subj=unconfined_u:system_r:munin_t:s0 key=(null)
user and group 801 are the munin user:
# getent passwd 801
munin:x:801:801:Munin user:/var/lib/munin:/sbin/nologin
# getent group 801
munin:x:801:
inode 918433 is the directory /var/www/git on /dev/vd1:
# ls -ldi /var/www/git
918433 drwxr-xr-x. 3 root root 4096 2010-03-27 20:12 /var/www/git
# df -h /var/www /var/www/git/repos
Filesystem Size Used Avail Use% Mounted on
/dev/vdb1 20G 12G 6.8G 64% /var/www
/dev/vde1 20G 4.4G 15G 24% /var/www/git/repos
As can be seen above, /var/www/git/repos is a mountpoint. It does have
the same context as /var/www/git, as well as a few more items:
# find /var/www -context "system_u:object_r:httpd_git_content_t:s0" -ls
918433 4 drwxr-xr-x 3 root root 4096 Mar 27 20:12 /var/www/git
919158 4 -rw-r--r-- 1 root root 115 Dec 24 00:00 /var/www/git/git-favicon.png
919159 4 -rw-r--r-- 1 root root 207 Dec 24 00:00 /var/www/git/git-logo.png
919161 12 -rw-r--r-- 1 root root 8379 Dec 24 00:00 /var/www/git/gitweb.css
2 4 dr-xr-xr-x 21 autocheckout autocheckout 4096 Feb 23 22:06 /var/www/git/repos
11 16 drwx------ 2 root root 16384 Feb 8 20:00 /var/www/git/repos/lost+found
The port, which munin-node is listening on, is labelled with
munin_port_t, which is, I believe, the reason things work from the
command line but not via the network:
# semanage port -l | grep 4949
munin_port_t tcp 4949
munin_port_t udp 4949
Up to here I still understand things, by connecting to port 4949 my
connection gets the context munin_t and somehow that is not allowed
to do a search on httpd_git_content_t. The following test-policy in
fact would take care of this problem (tested):
policy_module(kktest,0.0.1)
require {
type munin_t;
type httpd_git_content_t;
};
bool allow_kktest false;
if (allow_kktest) {
allow munin_t httpd_git_content_t : dir { search } ;
} else {
};
But what I simply cannot understand is why I do not get any avc
denials, even without my test policy module, in the following two
cases:
1) By changing the type of /var/www/git to something else,
like httpd_sys_content_t:
chcon -t httpd_sys_content_t /var/www/git
I still have other directories with the same type /var/www/git
previously had and they don't cause any problem.
2) By leaving /var/www/git at type httpd_git_content_t, which normally
causes the problems, but umounting the filesystem below it:
umount /var/www/git/repos
What the heck am I missing? And would my test module not merely be a
working but also a correct solution? (Guess I could answer the second
question myself, once I get the first mistery solved.)
Thanks a lot,
Kurt
--
----------------------------------------------------------------------
: Kurt@xxxxxxxxxxxx http://www.pinboard.com/ business :
: http://kurt.www.pinboard.com/ private :
----------------------------------------------------------------------
: Unix and Internet Specialist :
: PGP fingerprint 7D6F 672A D30C CB86 30F3 88E4 194C 9BCB C382 DC4A :
----------------------------------------------------------------------
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
