895730 – net-analyzer/cacti lacks a user and collides with SELinux and/ or AppArmor

Bug 895730 - net-analyzer/cacti lacks a user and collides with SELinux and/ or AppArmor

Summary: net-analyzer/cacti lacks a user and collides with SELinux and/ or AppArmor

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Netmon project

URL:	https://files.cacti.net/docs/html/uni...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-02-21 14:39 UTC by onkobu
Modified:	2023-02-22 17:02 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description onkobu 2023-02-21 14:39:46 UTC

According to Cacti manual a CRON-job has to be setup. In the manual cactiuser is suggested. Such a user is not created from the ebuild. Other users have implications. For example apache – which is not root and runs the PHP files anyways – has limited capabilities with SELinux or App Armor. For example depending on the profile this user is not allowed to make ICMP requests.

Reproducible: Always

Comment 1 onkobu 2023-02-21 14:41:39 UTC

Error message for example for AppArmor is

Feb 21 15:33:17 <host> kernel: audit: type=1400 audit(1676989997.909:71): apparmor="DENIED" operation="create" profile="apache2" pid=2997 comm="ping" family="inet" sock_type="raw" protocol=1 requested_mask="create" denied_mask="create"

I'd say it is technically feasible to enable this through App Armor's tools but from a security standpoint this capability is not necessary. Instead cactiuser should be available.