Munin/SELinux
Munin version 2.0.64 does not come with any SELinux policy for Fedora and RHEL. The munin-node.service
will fail to start without one.
Munin-Node[edit]
First, just reset the audit.log
with
echo > /var/log/audit/audit.log
Then turn SELinux enforcement off (Doing so is bad if you forget to turn it on again):
setenforce 0
Next, start and stop munin-node:
systemctl start munin-node
sleep 4s
systemctl stop munin-node
Re-enable SELinux enforcement:
setenforce 1
Next, make sure you have policycoreutils-python-utils
(provides audit2allow) and run:
grep munin /var/log/audit/audit.log | audit2allow -M munin-node
This will create a SELinux module called munin-node.pp
and a plain-text module file called munin-node.te
which will look something like this:
module munin-node 1.0;
require {
type services_munin_plugin_t;
type disk_munin_plugin_t;
type system_dbusd_var_run_t;
type system_dbusd_t;
type avahi_t;
class sock_file write;
class unix_stream_socket connectto;
class dbus send_msg;
class capability dac_read_search;
}
#============= avahi_t ==============
allow avahi_t services_munin_plugin_t:dbus send_msg;
#============= disk_munin_plugin_t ==============
allow disk_munin_plugin_t self:capability dac_read_search;
#============= services_munin_plugin_t ==============
allow services_munin_plugin_t avahi_t:dbus send_msg;
allow services_munin_plugin_t system_dbusd_t:dbus send_msg;
allow services_munin_plugin_t system_dbusd_t:unix_stream_socket connectto;
allow services_munin_plugin_t system_dbusd_var_run_t:sock_file write;
You do not actually need the munin-node.te
file but since you're reading this now you're probably someone who needs to actually see it.
The ready to be used munin-node.pp
SELinux module can be added to the system policy with
semodule -i munin-server.pp
audit2allow -M
will create both a text module and a loadable module. You can, alternatively, do it a bit more manually:
grep munin /var/log/audit/audit.log | audit2allow -m munin-node > munin-node.te
checkmodule -M -m -o munin-node.mod munin-node.te
semodule_package -o munin-node.pp -m munin-node.mod
semodule -i munin-node.pp
You should now be able to start munin-node
with SELinux enforcement enabled with
systemctl start munin-node
or
systemctl enable --now munin-node
to start and enable as a permanent service at the same time.
Munin[edit]
The munin
service that creates HTML pages and images showing fancy graphs will also refuse to start on Fedora and RHEL systems without a SELinux policy.
echo > /var/log/audit/audit.log
setenforce 0
systemctl start munin
sleep 8s
systemctl stop munin
grep munin /var/log/audit/audit.log | audit2allow -M munin-server
That should produce a usable SELinux module you can install with
semodule -i munin-server.pp
The plain-text module will look something like this:
module munin-server 1.0;
require {
type init_t;
type munin_t;
class process2 nnp_transition;
}
#============= init_t ==============
allow init_t munin_t:process2 nnp_transition;
- Back to Munin
Enable comment auto-refresher