Code: Select all
CentOS release 6.9 (Final)
Linux munsrvp01 2.6.32-696.1.1.el6.i686 #1 SMP Tue Apr 11 16:37:48 UTC 2017 i686 i686 i386 GNU/Linux
selinux-policy.noarch 3.7.19-307.el6
selinux-policy-targeted.noarch 3.7.19-307.el6
munin.noarch 2.0.33-1.el6
httpd.i686 2.2.15-59.el6.centos
shell> semanage module -l | grep munin
munin 1.7.0
muninlocal 1.0
Code: Select all
type=AVC msg=audit(1493089265.304:20710): avc: denied { setattr } for pid=7347 comm="munin-cgi-graph" name="fontconfig" dev=dm-0 ino=5791 scontext=system_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir
https://bugzilla.redhat.com/show_bug.cgi?id=966635
and the upstream errata would appear to be satisfied at this point
http://rhn.redhat.com/errata/RHBA-2013-1598.html
...yet there it still is... although, that was then and this is now, and who knows what's going on this time, today.
A few minor notes
- My AVCs are not as severe. It's just that one, not the handful on various resources seen in 966635.
- I tried a custom policy, but not only did it not resolve the issue, audit2why admits it has no more clue than I do as to why.Actually, it did fix the issue, so what I got was a good example of running aduit2why against stale entries.
Code: Select all
module muninlocal 1.0;
require {
type httpd_munin_script_t;
type fonts_cache_t;
class dir setattr;
}
#============= httpd_munin_script_t ==============
allow httpd_munin_script_t fonts_cache_t:dir setattr;
Code: Select all
type=AVC msg=audit(1493089265.304:20710): avc: denied { setattr } for pid=7347 comm="munin-cgi-graph" name="fontconfig" dev=dm-0 ino=5791 scontext=system_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Code: Select all
shell> semanage fcontext -l | grep fonts_cache_t
/var/cache/fontconfig(/.*)? all files system_u:object_r:fonts_cache_t:s0
Code: Select all
shell> ls -laZ /var/cache/fontconfig
drwxr-xr-x. root root system_u:object_r:fonts_cache_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:fonts_cache_t:s0 12b26b760a24f8b4feb03ad48a333a72-le32d4.cache-3
<rhetorical> dare I even broach the question of why some httpd script should even need/have dir setattr on fonts_cache_t? </rhetorical>
Code: Select all
shell> grep fonts_cache_t munin.out
allow munin_t [fonts_cache_t] : [dir] { ioctl read getattr lock search open };
allow munin_t [fonts_cache_t] : [dir] { getattr search open };
allow munin_t [fonts_cache_t] : [file] { ioctl read getattr lock open };
allow munin_t [fonts_cache_t] : [dir] { getattr search open };
allow munin_t [fonts_cache_t] : [lnk_file] { read getattr };
allow munin_t [fonts_cache_t] : [dir] { setattr };
allow httpd_munin_script_t [fonts_cache_t] : [dir] { ioctl read getattr lock search open };
allow httpd_munin_script_t [fonts_cache_t] : [dir] { getattr search open };
allow httpd_munin_script_t [fonts_cache_t] : [file] { ioctl read getattr lock open };
allow httpd_munin_script_t [fonts_cache_t] : [dir] { getattr search open };
allow httpd_munin_script_t [fonts_cache_t] : [lnk_file] { read getattr };
-TIA-