selinux: avc: denied { setattr } for comm="munin-cgi-graph"
Posted: 2017/04/27 05:05:16
So,
munin is throwing AVC's
which is consistent with upstream bug (from 2013)
https://bugzilla.redhat.com/show_bug.cgi?id=966635
and the upstream errata would appear to be satisfied at this point
http://rhn.redhat.com/errata/RHBA-2013-1598.html
...yet there it still is... although, that was then and this is now, and who knows what's going on this time, today.
A few minor notes
The existing fcontext looks like the resource should get labeled correctly.
...and the resource appears to be labeled.
I dumped the munin policy with sedismod and it looks to me like they have the setattr on the wrong scontext... or they're trying the operation with the wrong scontext... either way, this policy is never going to allow the app to do what it's trying to do, the way it's trying to do it.
SO... I guess I have two questions... is this really a bug that needs to be reported to someone, and if so, who? ... and why didn't my policy fix it? I'm not exactly an selinux novice, but I'm obviously ignorant of some important detail. But I am stupid apparently. The muninlocal policy did fix the selinux AVC, but a munin error that was not actually caused by the policy issue led me to assume, incorrectly, that the issue had not been fixed when in fact it had.
-TIA-
Code: Select all
CentOS release 6.9 (Final)
Linux munsrvp01 2.6.32-696.1.1.el6.i686 #1 SMP Tue Apr 11 16:37:48 UTC 2017 i686 i686 i386 GNU/Linux
selinux-policy.noarch 3.7.19-307.el6
selinux-policy-targeted.noarch 3.7.19-307.el6
munin.noarch 2.0.33-1.el6
httpd.i686 2.2.15-59.el6.centos
shell> semanage module -l | grep munin
munin 1.7.0
muninlocal 1.0
Code: Select all
type=AVC msg=audit(1493089265.304:20710): avc: denied { setattr } for pid=7347 comm="munin-cgi-graph" name="fontconfig" dev=dm-0 ino=5791 scontext=system_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir
https://bugzilla.redhat.com/show_bug.cgi?id=966635
and the upstream errata would appear to be satisfied at this point
http://rhn.redhat.com/errata/RHBA-2013-1598.html
...yet there it still is... although, that was then and this is now, and who knows what's going on this time, today.
A few minor notes
- My AVCs are not as severe. It's just that one, not the handful on various resources seen in 966635.
- I tried a custom policy, but not only did it not resolve the issue, audit2why admits it has no more clue than I do as to why.Actually, it did fix the issue, so what I got was a good example of running aduit2why against stale entries.
Code: Select all
module muninlocal 1.0;
require {
type httpd_munin_script_t;
type fonts_cache_t;
class dir setattr;
}
#============= httpd_munin_script_t ==============
allow httpd_munin_script_t fonts_cache_t:dir setattr;
Code: Select all
type=AVC msg=audit(1493089265.304:20710): avc: denied { setattr } for pid=7347 comm="munin-cgi-graph" name="fontconfig" dev=dm-0 ino=5791 scontext=system_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Code: Select all
shell> semanage fcontext -l | grep fonts_cache_t
/var/cache/fontconfig(/.*)? all files system_u:object_r:fonts_cache_t:s0
Code: Select all
shell> ls -laZ /var/cache/fontconfig
drwxr-xr-x. root root system_u:object_r:fonts_cache_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:fonts_cache_t:s0 12b26b760a24f8b4feb03ad48a333a72-le32d4.cache-3
<rhetorical> dare I even broach the question of why some httpd script should even need/have dir setattr on fonts_cache_t? </rhetorical>
Code: Select all
shell> grep fonts_cache_t munin.out
allow munin_t [fonts_cache_t] : [dir] { ioctl read getattr lock search open };
allow munin_t [fonts_cache_t] : [dir] { getattr search open };
allow munin_t [fonts_cache_t] : [file] { ioctl read getattr lock open };
allow munin_t [fonts_cache_t] : [dir] { getattr search open };
allow munin_t [fonts_cache_t] : [lnk_file] { read getattr };
allow munin_t [fonts_cache_t] : [dir] { setattr };
allow httpd_munin_script_t [fonts_cache_t] : [dir] { ioctl read getattr lock search open };
allow httpd_munin_script_t [fonts_cache_t] : [dir] { getattr search open };
allow httpd_munin_script_t [fonts_cache_t] : [file] { ioctl read getattr lock open };
allow httpd_munin_script_t [fonts_cache_t] : [dir] { getattr search open };
allow httpd_munin_script_t [fonts_cache_t] : [lnk_file] { read getattr };
-TIA-