Hi Gabriele,
Your 1st question:
The port 4949, which munin-node uses, does have its own security label.
All connections through that port get that label:
# semanage port -l | grep 4949
munin_port_t tcp 4949
munin_port_t udp 4949
There are, however, no special rules for the user munin, when it logs
in:
# semanage user -l | grep munin
# semanage login -l | grep munin
Your 2nd question:
I think it should be possible to create some custom rule so munin does
get another context when logging in. But neither do I do enough SELinux
tweaking to know how exactly to do that, nor do I think it would be wise
to fiddle that way. Creating some boolean to switch things on and off
might be preferrable.
Your 3rd question:
Again, I don't do enough SELinux work to answer this from the top of my
head or without looking at the exact selinux messages. Have a look at
the avc messages in /var/log/audit/audit.log. From there, the following
(untested and surely not really working) snippet might at least be some
starting point to get you started in the right direction:
policy_module(test,0.0.1)
require {
type munin_t;
type security_t;
};
allow munin_t security_t : dir { search read } ;
I agree, SELinux issues with munin aren't a joy, but one has to remember
that munin tries to get quite a lot of info out of the system from
various places. And if you do want to have that secured, it is a chore.
Hope this helps somewhat to get you onto the right track.
Cheers,
Kurt
On Fri, Apr 09, 2010 at 02:44:47PM +0200, Gabriele Pohl wrote:
> Hi,
>
> some sentences on the background of the
> question I will ask below:
>
> "munin-run" is a utility delivered with the
> package "munin-node". Its purpose is testing
> the execution of munin plugins in an environment
> that is equate to the execution when called by
> daemon "munin-node".
>
> When exploring the new Munin version 1.4.4
> on Fedora Core 12 I found out, that this
> does not work in sense of testing
> "SELinux-Privileges".
>
> I got reasonable values from a plugin,
> when I run it on the node:
>
> ----- 8< -----
> # munin-run selinux_avcstat
> lookups.value 25863367
> hits.value 25837715
> misses.value 25652
> allocations.value 25657
> reclaims.value 24624
> frees.value 25156
> ----- >8 -----
>
> and get "Unknown" values, when I fetch the
> values from munin-node by master via telnet:
>
> ----- 8< -----
> # telnet localhost 4949
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> # munin node at localhost
> fetch selinux_avcstat
> lookups.value U
> hits.value U
> misses.value U
> allocations.value U
> reclaims.value U
> frees.value U
> .
> ----- >8 -----
>
> After setting SELinux mode to *permissive*
> it worked also for the munin-node:
>
> # telnet localhost 4949
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> # munin node at localhost
> fetch selinux_avcstat
> lookups.value 33223592
> hits.value 33194702
> misses.value 28890
> allocations.value 28900
> reclaims.value 27856
> frees.value 28392
> .
>
> Now my question:
>
> 1. Why was it possible to get values (read
> the file: /selinux/avc/cache_stats)
> when calling the plugin with munin-run
> and also directly under user "munin"
>
> ----- 8< -----
> sudo -u munin /etc/munin/plugins/selinux_avcstat
> lookups.value 29744406
> hits.value 29717050
> misses.value 27356
> allocations.value 27361
> reclaims.value 26320
> frees.value 26852
> ----- >8 -----
>
> but not for "munin-node"?
>
> Because this is a daemon?
>
> 2. Is it possible to create a tool
> "munin-run" that is able to test the
> SELinux issues for munin-node also?
>
> 3. What rule will I have to add to my
> Munin Policy to allow munin-node to read
> the file /selinux/avc/cache_stats?
>
> 4. I there no QA on munins standard plugin
> collection delivered by Fedora?
>
> These SELinux issues one gets everytime with the
> Munin-Packages are really annoying..
>
> *sigh* and best regards,
>
> Gabriele
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
