Hi Kurt, thanks for your detailed answer! On Mon, 2010-04-12 at 23:34 +0200, pbdlists@xxxxxxxxxxxx wrote: > Your 1st question: > > and get "Unknown" values, when I fetch the > > values from munin-node by master via telnet: > > After setting SELinux mode to *permissive* > > it worked > > The port 4949, which munin-node uses, does have its own security label. This is _not_ an issue of the telnet connection, as on this way I get reasonable values from many other plugins. The problem is a different behaviour if the plugin is executed by munin-node (the daemon) and munin-run. Very strange is, that I don't get avc-denials when the fetch via munin-node fails.. I opened a bug-report on this: https://bugzilla.redhat.com/show_bug.cgi?id=581270 > Your 2nd question: > > I think it should be possible to create some custom rule > so munin does get another context when logging in. The question is, how to change / enhance the utility "munin-run", which is a perl script, so that it behaves in the same manner like "munin-node" (which is a perl script also, but runs as daemon) in respect of the SELinux-restrictions. The plugin selinux_avcstat should give the same result when executed by "munin-run" and by "munin-node". [QA of the standard plugins] > I agree, SELinux issues with munin aren't a joy, but one has to remember > that munin tries to get quite a lot of info out of the system from > various places. And if you do want to have that secured, it is a chore. As Fedora installs SELinux in enforcing mode and does not warn or recommend to set it to permissive mode, when it installs munin-node, I see it as an essential task of the distributor to check, wether the packages work together in the default installation. With kind regards, Gabriele -- Dipohl ~ Creations with sense and mind www.dipohl.com -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
