View Issue Details

IDProjectCategoryView StatusLast Update
0017637CentOS-7selinux-policypublic2020-07-31 15:11
Reporterhndrcksn Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
OS Version7 
Summary0017637: SELinux is preventing /usr/bin/perl from 'read' accesses on the file /etc/munin/munin.conf.
DescriptionDescription of problem:
Happens when system boots up and continues. I assume munin needs perl to read this file so the problem should be addressed
SELinux is preventing /usr/bin/perl from 'read' accesses on the file /etc/munin/munin.conf.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label.
/etc/munin/munin.conf default label should be munin_etc_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
# /sbin/restorecon -v /etc/munin/munin.conf

***** Plugin catchall (1.49 confidence) suggests **************************

If you believe that perl should be allowed read access on the munin.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'munin-update' --raw | audit2allow -M my-muninupdate
# semodule -i my-muninupdate.pp

Additional Information:
Source Context system_u:system_r:munin_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /etc/munin/munin.conf [ file ]
Source munin-update
Source Path /usr/bin/perl
Port <Unknown>
Host (removed)
Source RPM Packages perl-5.16.3-295.el7.x86_64
Target RPM Packages munin-2.0.63-1.el7.noarch
Policy RPM selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-1127.13.1.el7.x86_64 #1 SMP
                              Tue Jun 23 15:46:38 UTC 2020 x86_64 x86_64
Alert Count 874
First Seen 2020-07-28 09:50:02 EDT
Last Seen 2020-07-31 10:50:01 EDT
Local ID b744dbe5-c0bd-49cd-9e60-4d669d7639d4

Raw Audit Messages
type=AVC msg=audit(1596207001.934:241): avc: denied { read } for pid=4660 comm="munin-update" name="munin.conf" dev="dm-0" ino=101089297 scontext=system_u:system_r:munin_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1596207001.934:241): arch=x86_64 syscall=open success=no exit=EACCES a0=ac3bb0 a1=0 a2=1b6 a3=0 items=0 ppid=4657 pid=4660 auid=4294967295 uid=983 gid=978 euid=983 suid=983 fsuid=983 egid=978 sgid=978 fsgid=978 tty=(none) ses=4294967295 comm=munin-update exe=/usr/bin/perl subj=system_u:system_r:munin_t:s0 key=(null)

Hash: munin-update,munin_t,user_home_t,file,read

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-1127.13.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2020-07-31 15:11

manager   ~0037462

I have a very very strong feeling that your system is mislabeled, resp at least munin's config file is not labeled as it should be. Can you please follow the first advice given by setroubleshoot and relabel your system ? You could run any of the following two commands ( I suggest the first one since maybe more than just a file is mislabeled )
- touch /.autorelabel && reboot ( to relabel the whole system )
- restorecon -Rv /etc/munin ( to relabel just munin's config directory )

Issue History

Date Modified Username Field Change
2020-07-31 14:54 hndrcksn New Issue
2020-07-31 15:11 ManuelWolfshant Note Added: 0037462