atvseth
commented
1 year ago Can confirm that this issue also happen on Rocky 9.1, though it's unsure why. There are various ways the following SELinux deny occurs:
- on a reboot
- After an interface is renamed using the following:
- ip link set ens192 down
- ip link set ens192 name link0
- ip link set link0 up
- (and additional work in NetworkManager to make it use the new interface)
The issue might possibly be due to a ln -s '/usr/share/munin/plugins/if_' '/etc/munin/plugins/if_link0' not being called on a new device - though that is unsure.
Here's full outputs of the issue:
--- ausearch output --- [/root/atvseth](root@test-rocky9-box-FQDN)_ ausearch -m AVC,USER_AVC,AVC_PATH
time->Fri May 12 09:55:42 2023
node=test-rocky9-box-FQDN type=PROCTITLE msg=audit(1683910542.772:160): proctitle=2F7573722F7362696E2F657468746F6F6C00656E73313932
node=test-rocky9-box-FQDN type=SYSCALL msg=audit(1683910542.772:160): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=10 a3=fff items=0 ppid=7922 pid=7923 auid=4294967295 uid=0 gid=992 euid=0 suid=0 fsuid=0 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:system_munin_plugin_t:s0 key=(null)
node=test-rocky9-box-FQDN type=AVC msg=audit(1683910542.772:160): avc: denied { create } for pid=7923 comm="ethtool" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:system_munin_plugin_t:s0 tclass=netlink_generic_socket permissive=0--- /var/log/messages (similar to the original post from @bo-qeye) ---
May 12 09:55:44 test-rocky9-box-FQDN setroubleshoot[7926]: SELinux is preventing /usr/sbin/ethtool from create access on the netlink_generic_socket labeled system_munin_plugin_t. For complete SELinux messages run: sealert -l f7690d0e-22ba-4b0a-a54d-27c7e17b2f92
May 12 09:55:44 test-rocky9-box-FQDN setroubleshoot[7926]: SELinux is preventing /usr/sbin/ethtool from create access on the netlink_generic_socket labeled system_munin_plugin_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ethtool should be allowed create access on netlink_generic_socket labeled system_munin_plugin_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ethtool' --raw | audit2allow -M my-ethtool#012# semodule -X 300 -i my-ethtool.pp#012--- sealert output ---
_[/root/atvseth]_(root@test-rocky9-box-FQDN)_
sealert -l f7690d0e-22ba-4b0a-a54d-27c7e17b2f92
SELinux is preventing /usr/sbin/ethtool from create access on the netlink_generic_socket labeled system_munin_plugin_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that ethtool should be allowed create access on netlink_generic_socket labeled system_munin_plugin_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c 'ethtool' --raw | audit2allow -M my-ethtool
semodule -X 300 -i my-ethtool.pp
Additional Information:
Source Context system_u:system_r:system_munin_plugin_t:s0
Target Context system_u:system_r:system_munin_plugin_t:s0
Target Objects Unknown [ netlink_generic_socket ]
Source ethtool
Source Path /usr/sbin/ethtool
Port <Unknown>
Host test-rocky9-box-FQDN
Source RPM Packages ethtool-5.16-1.el9.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Local Policy RPM selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name test-rocky9-box-FQDN
Platform Linux test-rocky9-box-FQDN
5.14.0-162.23.1.el9_1.x86_64 #1 SMP
PREEMPT_DYNAMIC Tue Apr 11 19:09:37 UTC 2023
x86_64 x86_64
Alert Count 5
First Seen 2023-05-11 15:30:37 PDT
Last Seen 2023-05-12 09:55:42 PDT
Local ID f7690d0e-22ba-4b0a-a54d-27c7e17b2f92
Raw Audit Messages
type=AVC msg=audit(1683910542.772:160): avc: denied { create } for pid=7923 comm="ethtool" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:system_munin_plugin_t:s0 tclass=netlink_generic_socket permissive=0
type=SYSCALL msg=audit(1683910542.772:160): arch=x86_64 syscall=socket success=no exit=EACCES a0=10 a1=3 a2=10 a3=fff items=0 ppid=7922 pid=7923 auid=4294967295 uid=0 gid=992 euid=0 suid=0 fsuid=0 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ethtool exe=/usr/sbin/ethtool subj=system_u:system_r:system_munin_plugin_t:s0 key=(null)
Hash: ethtool,system_munin_plugin_t,system_munin_plugin_t,netlink_generic_socket,create--- What /etc/munin/plugins looks like ---
_[/root/atvseth]_(root@test-rocky9-box-FQDN)_
ll /etc/munin/plugins/
total 0
lrwxrwxrwx. 1 root root 28 May 11 13:36 cpu -> /usr/share/munin/plugins/cpu
lrwxrwxrwx. 1 root root 27 May 11 13:36 df -> /usr/share/munin/plugins/df
lrwxrwxrwx. 1 root root 33 May 11 13:36 df_inode -> /usr/share/munin/plugins/df_inode
lrwxrwxrwx. 1 root root 34 May 11 13:36 diskstats -> /usr/share/munin/plugins/diskstats
lrwxrwxrwx. 1 root root 32 May 11 13:36 entropy -> /usr/share/munin/plugins/entropy
lrwxrwxrwx. 1 root root 30 May 11 13:36 forks -> /usr/share/munin/plugins/forks
lrwxrwxrwx. 1 root root 37 May 11 13:36 fw_conntrack -> /usr/share/munin/plugins/fw_conntrack
lrwxrwxrwx. 1 root root 43 May 11 13:36 fw_forwarded_local -> /usr/share/munin/plugins/fw_forwarded_local
lrwxrwxrwx. 1 root root 35 May 11 13:36 fw_packets -> /usr/share/munin/plugins/fw_packets
lrwxrwxrwx. 1 root root 28 May 11 13:36 if_ens192 -> /usr/share/munin/plugins/if_
lrwxrwxrwx. 1 root root 35 May 11 13:36 interrupts -> /usr/share/munin/plugins/interrupts
lrwxrwxrwx. 1 root root 33 May 11 13:36 irqstats -> /usr/share/munin/plugins/irqstats
lrwxrwxrwx. 1 root root 29 May 11 13:36 load -> /usr/share/munin/plugins/load
lrwxrwxrwx. 1 root root 31 May 11 13:36 memory -> /usr/share/munin/plugins/memory
lrwxrwxrwx. 1 root root 32 May 11 13:42 netstat -> /usr/share/munin/plugins/netstat
lrwxrwxrwx. 1 root root 35 May 11 13:36 open_files -> /usr/share/munin/plugins/open_files
lrwxrwxrwx. 1 root root 36 May 11 13:36 open_inodes -> /usr/share/munin/plugins/open_inodes
lrwxrwxrwx. 1 root root 34 May 11 13:36 processes -> /usr/share/munin/plugins/processes
lrwxrwxrwx. 1 root root 33 May 11 13:36 proc_pri -> /usr/share/munin/plugins/proc_pri
lrwxrwxrwx. 1 root root 40 May 11 13:36 selinux_avcstat -> /usr/share/munin/plugins/selinux_avcstat
lrwxrwxrwx. 1 root root 43 May 11 13:36 sendmail_mailqueue -> /usr/share/munin/plugins/sendmail_mailqueue
lrwxrwxrwx. 1 root root 43 May 11 13:36 sendmail_mailstats -> /usr/share/munin/plugins/sendmail_mailstats
lrwxrwxrwx. 1 root root 45 May 11 13:36 sendmail_mailtraffic -> /usr/share/munin/plugins/sendmail_mailtraffic
lrwxrwxrwx. 1 root root 29 May 11 13:36 swap -> /usr/share/munin/plugins/swap
lrwxrwxrwx. 1 root root 32 May 11 13:36 threads -> /usr/share/munin/plugins/threads
lrwxrwxrwx. 1 root root 31 May 11 13:36 uptime -> /usr/share/munin/plugins/uptime
lrwxrwxrwx. 1 root root 30 May 11 13:36 users -> /usr/share/munin/plugins/users
lrwxrwxrwx. 1 root root 31 May 11 13:36 vmstat -> /usr/share/munin/plugins/vmstat--- Finally, the ip a output ---
_[/root/atvseth]_(root@test-rocky9-box-FQDN)_
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: link0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:a0:ec:5a brd ff:ff:ff:ff:ff:ff
altname enp11s0
altname ens192
inet 184.23.168.43/27 brd 184.23.168.63 scope global noprefixroute link0
valid_lft forever preferred_lft forever
_[/root/atvseth]_(root@test-rocky9-box-FQDN)_
Describe the bug On a Munin node, there are endless selinux ethtool warnings in /var/log/messages.
To Reproduce Steps to reproduce the behavior:
Expected behavior munin-node should be able to gracefully handle unused network cards.
Screenshots & Logs From /var/log/messages:
Desktop (please complete the following information):
Additional context My servers typically have four network interfaces. Two built-in 1Gbit, and two 10Gbit on an expansion card. Only one of the 10Gbit are in use, the rest are not connected. Deleting the symlinks for the unused network cards from
/etc/munin/plugins/(if_eno1234for example) makes the problem go away.The custom SELinux policy suggested in the error message does not seem to have an effect.
I'm guessing it's either a bug in the munin SELinux policy OR a bug in the code where network cards with no link are still polled.