Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endless selinux alerts in /var/log/messages on Rocky Linux 8.7/munin-node 2.0.72 #1535

Open
bo-qeye opened this issue May 2, 2023 · 1 comment
Open

Endless selinux alerts in /var/log/messages on Rocky Linux 8.7/munin-node 2.0.72 #1535

bo-qeye opened this issue May 2, 2023 · 1 comment

Comments

@bo-qeye
Copy link

bo-qeye commented May 2, 2023

Describe the bug
On a Munin node, there are endless selinux ethtool warnings in /var/log/messages.

To Reproduce
Steps to reproduce the behavior:

  1. Install Rocky Linux 8.7 and munin-node 2.0.72 on a machine with one or more unused network cards (servers, typically).
  2. Start munin-node.
  3. Poll the node.
  4. Observe errors in /var/log/messages.

Expected behavior
munin-node should be able to gracefully handle unused network cards.

Screenshots & Logs
From /var/log/messages:

Apr  2 03:51:09 hostname_redacted setroubleshoot[1982813]: SELinux is preventing /usr/sbin/ethtool from create access on the netlink_generic_socket labeled system_munin_plugin_t. For complete SELinux messages run: sealert -l 446fb356-d191-44e3-99d6-da704ff9f684
Apr  2 03:51:09 hostname_redacted setroubleshoot[1982813]: SELinux is preventing /usr/sbin/ethtool from create access on the netlink_generic_socket labeled system_munin_plugin_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ethtool should be allowed create access on netlink_generic_socket labeled system_munin_plugin_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ethtool' --raw | audit2allow -M my-ethtool#012# semodule -X 300 -i my-ethtool.pp#012

Desktop (please complete the following information):

  • Rocky Linux 8.7 on x86_64.
  • Munin Version 2.0.72

Additional context
My servers typically have four network interfaces. Two built-in 1Gbit, and two 10Gbit on an expansion card. Only one of the 10Gbit are in use, the rest are not connected. Deleting the symlinks for the unused network cards from /etc/munin/plugins/ (if_eno1234 for example) makes the problem go away.

The custom SELinux policy suggested in the error message does not seem to have an effect.

I'm guessing it's either a bug in the munin SELinux policy OR a bug in the code where network cards with no link are still polled.
@atvseth
Copy link

atvseth commented May 12, 2023
edited

Can confirm that this issue also happen on Rocky 9.1, though it's unsure why. There are various ways the following SELinux deny occurs:

  1. on a reboot
  2. After an interface is renamed using the following:
  • ip link set ens192 down
  • ip link set ens192 name link0
  • ip link set link0 up
  • (and additional work in NetworkManager to make it use the new interface)

The issue might possibly be due to a ln -s '/usr/share/munin/plugins/if_' '/etc/munin/plugins/if_link0' not being called on a new device - though that is unsure.

Here's full outputs of the issue:

--- ausearch output ---
[/root/atvseth](root@test-rocky9-box-FQDN)_
ausearch -m AVC,USER_AVC,AVC_PATH

time->Fri May 12 09:55:42 2023
node=test-rocky9-box-FQDN type=PROCTITLE msg=audit(1683910542.772:160): proctitle=2F7573722F7362696E2F657468746F6F6C00656E73313932
node=test-rocky9-box-FQDN type=SYSCALL msg=audit(1683910542.772:160): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=10 a3=fff items=0 ppid=7922 pid=7923 auid=4294967295 uid=0 gid=992 euid=0 suid=0 fsuid=0 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ethtool" exe="/usr/sbin/ethtool" subj=system_u:system_r:system_munin_plugin_t:s0 key=(null)
node=test-rocky9-box-FQDN type=AVC msg=audit(1683910542.772:160): avc:  denied  { create } for  pid=7923 comm="ethtool" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:system_munin_plugin_t:s0 tclass=netlink_generic_socket permissive=0

--- /var/log/messages (similar to the original post from @bo-qeye) ---

May 12 09:55:44 test-rocky9-box-FQDN setroubleshoot[7926]: SELinux is preventing /usr/sbin/ethtool from create access on the netlink_generic_socket labeled system_munin_plugin_t. For complete SELinux messages run: sealert -l f7690d0e-22ba-4b0a-a54d-27c7e17b2f92
May 12 09:55:44 test-rocky9-box-FQDN setroubleshoot[7926]: SELinux is preventing /usr/sbin/ethtool from create access on the netlink_generic_socket labeled system_munin_plugin_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that ethtool should be allowed create access on netlink_generic_socket labeled system_munin_plugin_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ethtool' --raw | audit2allow -M my-ethtool#012# semodule -X 300 -i my-ethtool.pp#012

--- sealert output ---

_[/root/atvseth]_(root@test-rocky9-box-FQDN)_
sealert -l f7690d0e-22ba-4b0a-a54d-27c7e17b2f92
SELinux is preventing /usr/sbin/ethtool from create access on the netlink_generic_socket labeled system_munin_plugin_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ethtool should be allowed create access on netlink_generic_socket labeled system_munin_plugin_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c 'ethtool' --raw | audit2allow -M my-ethtool
semodule -X 300 -i my-ethtool.pp

Additional Information:
Source Context                system_u:system_r:system_munin_plugin_t:s0
Target Context                system_u:system_r:system_munin_plugin_t:s0
Target Objects                Unknown [ netlink_generic_socket ]
Source                        ethtool
Source Path                   /usr/sbin/ethtool
Port                          <Unknown>
Host                          test-rocky9-box-FQDN
Source RPM Packages           ethtool-5.16-1.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Local Policy RPM              selinux-policy-targeted-34.1.43-1.el9_1.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     test-rocky9-box-FQDN
Platform                      Linux test-rocky9-box-FQDN
                              5.14.0-162.23.1.el9_1.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue Apr 11 19:09:37 UTC 2023
                              x86_64 x86_64
Alert Count                   5
First Seen                    2023-05-11 15:30:37 PDT
Last Seen                     2023-05-12 09:55:42 PDT
Local ID                      f7690d0e-22ba-4b0a-a54d-27c7e17b2f92

Raw Audit Messages
type=AVC msg=audit(1683910542.772:160): avc:  denied  { create } for  pid=7923 comm="ethtool" scontext=system_u:system_r:system_munin_plugin_t:s0 tcontext=system_u:system_r:system_munin_plugin_t:s0 tclass=netlink_generic_socket permissive=0


type=SYSCALL msg=audit(1683910542.772:160): arch=x86_64 syscall=socket success=no exit=EACCES a0=10 a1=3 a2=10 a3=fff items=0 ppid=7922 pid=7923 auid=4294967295 uid=0 gid=992 euid=0 suid=0 fsuid=0 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ethtool exe=/usr/sbin/ethtool subj=system_u:system_r:system_munin_plugin_t:s0 key=(null)

Hash: ethtool,system_munin_plugin_t,system_munin_plugin_t,netlink_generic_socket,create

--- What /etc/munin/plugins looks like ---

_[/root/atvseth]_(root@test-rocky9-box-FQDN)_
ll /etc/munin/plugins/
total 0
lrwxrwxrwx. 1 root root 28 May 11 13:36 cpu -> /usr/share/munin/plugins/cpu
lrwxrwxrwx. 1 root root 27 May 11 13:36 df -> /usr/share/munin/plugins/df
lrwxrwxrwx. 1 root root 33 May 11 13:36 df_inode -> /usr/share/munin/plugins/df_inode
lrwxrwxrwx. 1 root root 34 May 11 13:36 diskstats -> /usr/share/munin/plugins/diskstats
lrwxrwxrwx. 1 root root 32 May 11 13:36 entropy -> /usr/share/munin/plugins/entropy
lrwxrwxrwx. 1 root root 30 May 11 13:36 forks -> /usr/share/munin/plugins/forks
lrwxrwxrwx. 1 root root 37 May 11 13:36 fw_conntrack -> /usr/share/munin/plugins/fw_conntrack
lrwxrwxrwx. 1 root root 43 May 11 13:36 fw_forwarded_local -> /usr/share/munin/plugins/fw_forwarded_local
lrwxrwxrwx. 1 root root 35 May 11 13:36 fw_packets -> /usr/share/munin/plugins/fw_packets
lrwxrwxrwx. 1 root root 28 May 11 13:36 if_ens192 -> /usr/share/munin/plugins/if_
lrwxrwxrwx. 1 root root 35 May 11 13:36 interrupts -> /usr/share/munin/plugins/interrupts
lrwxrwxrwx. 1 root root 33 May 11 13:36 irqstats -> /usr/share/munin/plugins/irqstats
lrwxrwxrwx. 1 root root 29 May 11 13:36 load -> /usr/share/munin/plugins/load
lrwxrwxrwx. 1 root root 31 May 11 13:36 memory -> /usr/share/munin/plugins/memory
lrwxrwxrwx. 1 root root 32 May 11 13:42 netstat -> /usr/share/munin/plugins/netstat
lrwxrwxrwx. 1 root root 35 May 11 13:36 open_files -> /usr/share/munin/plugins/open_files
lrwxrwxrwx. 1 root root 36 May 11 13:36 open_inodes -> /usr/share/munin/plugins/open_inodes
lrwxrwxrwx. 1 root root 34 May 11 13:36 processes -> /usr/share/munin/plugins/processes
lrwxrwxrwx. 1 root root 33 May 11 13:36 proc_pri -> /usr/share/munin/plugins/proc_pri
lrwxrwxrwx. 1 root root 40 May 11 13:36 selinux_avcstat -> /usr/share/munin/plugins/selinux_avcstat
lrwxrwxrwx. 1 root root 43 May 11 13:36 sendmail_mailqueue -> /usr/share/munin/plugins/sendmail_mailqueue
lrwxrwxrwx. 1 root root 43 May 11 13:36 sendmail_mailstats -> /usr/share/munin/plugins/sendmail_mailstats
lrwxrwxrwx. 1 root root 45 May 11 13:36 sendmail_mailtraffic -> /usr/share/munin/plugins/sendmail_mailtraffic
lrwxrwxrwx. 1 root root 29 May 11 13:36 swap -> /usr/share/munin/plugins/swap
lrwxrwxrwx. 1 root root 32 May 11 13:36 threads -> /usr/share/munin/plugins/threads
lrwxrwxrwx. 1 root root 31 May 11 13:36 uptime -> /usr/share/munin/plugins/uptime
lrwxrwxrwx. 1 root root 30 May 11 13:36 users -> /usr/share/munin/plugins/users
lrwxrwxrwx. 1 root root 31 May 11 13:36 vmstat -> /usr/share/munin/plugins/vmstat

--- Finally, the ip a output ---

_[/root/atvseth]_(root@test-rocky9-box-FQDN)_
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: link0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:a0:ec:5a brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    altname ens192
    inet 184.23.168.43/27 brd 184.23.168.63 scope global noprefixroute link0
       valid_lft forever preferred_lft forever
_[/root/atvseth]_(root@test-rocky9-box-FQDN)_

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atvseth @bo-qeye