xinetd and su/runuser and dbus

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Environment:
RHEL 7.2 with all the latest fixes.

The server has the Check_MK agent (check-mk-agent-1.2.6p16-3.el7.x86_64 
from EPEL) installed, and the mk_postgres module has been activated by 
symlinking /usr/share/check-mk-agent/available-plugins/mk_postgres to
/usr/share/check-mk-agent/plugins/mk_postgres

The agent plugin's code may be viewed here:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob;f=agents/plugins/
mk_postgres;h=8333eee316a99e634394aee4f3048b6becc56d69;hb=c33010ba2d24c8b81c4e6221f3cd61bade7e7d9e

PostgreSQL version: rh-postgresql94-postgresql 9.4.6-1.el7.x86_64 (from 
RHEL 7's software collections).

Trouble: The Check_MK agent reponse becomes very slow when the 
mk_postgres  agent plugin is activated -- to the extend that checks time 
out, causing monitoring alerts and missing monitoring data.

Meanwhile, in /var/log/audit/audit.log:

type=USER_AVC msg=audit(1462018794.424:153): pid=704 uid=81 
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-
s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return 
dest=:1.19 spid=925 tpid=2851 
scontext=system_u:system_r:systemd_logind_t:s0 
tcontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tclass=dbus  
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

The AVC denials pop up when the mk_postgres agent plugin performs a "su" 
to "postgres". Changing the script to use "runuser" instead of "su" does 
not help.
I've found two different ways to fix this; the latter seems best:

1. Stop the dbus.service and dbus.socket services. But this results in a 
subsequent flood of messages like:
Apr 29 21:48:12 hostname su: pam_systemd(su-l:session): Failed to connect 
to system bus: Connection refused

2. Add the following SELinux module:

---------------------------------------
module inetd_dbus 1.0;

require {
    type systemd_logind_t;
    type inetd_child_t;
    class dbus send_msg;
}

#============= systemd_logind_t ==============
allow systemd_logind_t inetd_child_t:dbus send_msg;
---------------------------------------

I wonder if the above SELinux module could become part of the main 
SELinux 
policy? If so, should I open a Bugzilla request for xinetd, dbus, or 
SELinux?

-- 
Regards,
Troels Arvin

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux