munin-run has other SELinux privileges as munin-node

Gabriele Pohl <gp@xxxxxxxxxx> · Fri, 09 Apr 2010 14:44:47 +0200

Hi,

some sentences on the background of the 
question I will ask below:

"munin-run" is a utility delivered with the
package "munin-node". Its purpose is testing
the execution of munin plugins in an environment
that is equate to the execution when called by 
daemon "munin-node".

When exploring the new Munin version 1.4.4 
on Fedora Core 12 I found out, that this 
does not work in sense of testing 
"SELinux-Privileges".

I got reasonable values from a plugin, 
when I run it on the node:

----- 8< -----
# munin-run selinux_avcstat 
lookups.value 25863367
hits.value 25837715
misses.value 25652
allocations.value 25657
reclaims.value 24624
frees.value 25156
----- >8 -----

and get "Unknown" values, when I fetch the 
values from munin-node by master via telnet:

----- 8< -----
# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value U
hits.value U
misses.value U
allocations.value U
reclaims.value U
frees.value U
.
----- >8 -----

After setting SELinux mode to *permissive*
it worked also for the munin-node:

# telnet localhost 4949
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
# munin node at localhost
fetch selinux_avcstat
lookups.value 33223592
hits.value 33194702
misses.value 28890
allocations.value 28900
reclaims.value 27856
frees.value 28392
.

Now my question:

1. Why was it possible to get values (read
the file: /selinux/avc/cache_stats)
when calling the plugin with munin-run
and also directly under user "munin"

----- 8< -----
sudo -u munin /etc/munin/plugins/selinux_avcstat 
lookups.value 29744406
hits.value 29717050
misses.value 27356
allocations.value 27361
reclaims.value 26320
frees.value 26852
----- >8 -----

but not for "munin-node"?

Because this is a daemon?

2. Is it possible to create a tool
"munin-run" that is able to test the
SELinux issues for munin-node also?

3. What rule will I have to add to my
Munin Policy to allow munin-node to read 
the file /selinux/avc/cache_stats?

4. I there no QA on munins standard plugin
collection delivered by Fedora?

These SELinux issues one gets everytime with the
Munin-Packages are really annoying..

*sigh* and best regards,

Gabriele

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux