Package: selinux-policy-default
Version: 2:0.2.20100524-7
Severity: normal
If the munin plugins memory and if_ are configured on a squeeze selinux system
then the following avc denial errors occur for each munin-node run.
type=1400 audit(1301221206.014:943): avc: denied { net_admin } for pid=10657
comm="mii-tool" capability=12
scontext=system_u:system_r:system_munin_plugin_t:s0
tcontext=system_u:system_r:system_munin_plugin_t:s0 tclass=capability
type=1400 audit(1301221206.294:944): avc: denied { net_admin } for pid=10679
comm="mii-tool" capability=12
scontext=system_u:system_r:system_munin_plugin_t:s0
tcontext=system_u:system_r:system_munin_plugin_t:s0 tclass=capability
type=1400 audit(1301221206.778:945): avc: denied { getattr } for pid=10706
comm="memory" path="/usr/share/perl5/Munin/Plugin.pm" dev=hda1 ino=166159
scontext=system_u:system_r:system_munin_plugin_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=1400 audit(1301221206.778:946): avc: denied { read } for pid=10706
comm="memory" name="5.10" dev=hda1 ino=99308
scontext=system_u:system_r:system_munin_plugin_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
type=1400 audit(1301221206.778:947): avc: denied { read } for pid=10706
comm="memory" name="5.10" dev=hda1 ino=99308
scontext=system_u:system_r:system_munin_plugin_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
type=1400 audit(1301221206.846:948): avc: denied { getattr } for pid=10707
comm="memory" path="/usr/share/perl5/Munin/Plugin.pm" dev=hda1 ino=166159
scontext=system_u:system_r:system_munin_plugin_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file
type=1400 audit(1301221206.846:949): avc: denied { read } for pid=10707
comm="memory" name="5.10" dev=hda1 ino=99308
scontext=system_u:system_r:system_munin_plugin_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
The attached patch fixes the problem for me.
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i586)
Kernel: Linux 2.6.38-geodelx (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii libsepol1 2.0.41-1 SELinux library for manipulating b
ii policycoreutils 2.0.82-3 SELinux core policy utilities
ii python 2.6.6-3+squeeze5 interactive high-level object-orie
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.0.22-1 SELinux policy compiler
pn setools <none> (no description available)
Versions of packages selinux-policy-default suggests:
pn logcheck <none> (no description available)
pn syslog-summary <none> (no description available)
-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission
denied: u'/etc/selinux/default/modules/active/file_contexts.local'
-- no debconf information
--- selinux-policy-src-2:0.2.20100524-7/policy/modules/services/munin.te
2011-01-13 11:36:57.000000000 +0100
+++ selinux-policy-src/policy/modules/services/munin.te 2011-03-27
11:17:46.000000000 +0200
@@ -294,8 +294,10 @@
#
allow system_munin_plugin_t self:udp_socket create_socket_perms;
+allow system_munin_plugin_t self:capability net_admin;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+files_read_usr_files(system_munin_plugin_t)
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
