Bug 1285674

Summary: SELinux prevents httpd (started by piranha-gui) from accessing /var/lib/net-snmp
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: bperkins, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-285.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-10 20:02:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2015-11-26 08:59:49 UTC 
Description of problem:
 * this scenario is complicated because it needs a cooperation of multiple packages
 * it seems that piranha-gui service starts httpd, which runs as piranha_web_t, PHP support is by default enabled in the httpd configuration, the PHP module inside httpd wants to access the /var/lib/net-snmp directory when php-snmp package is installed

Version-Release number of selected component (if applicable):
httpd-2.2.15-45.el6.x86_64
httpd-tools-2.2.15-45.el6.x86_64
php-snmp-5.3.3-46.el6_6.x86_64
piranha-0.8.6-4.el6_5.2.x86_64
selinux-policy-3.7.19-283.el6.noarch
selinux-policy-doc-3.7.19-283.el6.noarch
selinux-policy-minimum-3.7.19-283.el6.noarch
selinux-policy-mls-3.7.19-283.el6.noarch
selinux-policy-targeted-3.7.19-283.el6.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get RHEL-6.7 machine which runs the targeted policy
2. start the piranha-gui service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PATH msg=audit(11/26/2015 09:04:44.791:382) : item=0 name=/var/lib/net-snmp inode=3512 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/26/2015 09:04:44.791:382) :  cwd=/ 
type=SYSCALL msg=audit(11/26/2015 09:04:44.791:382) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f96f2d33f80 a1=0x7fffde0219f0 a2=0x7fffde0219f0 a3=0x12 items=1 ppid=1 pid=15283 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) 
type=AVC msg=audit(11/26/2015 09:04:44.791:382) : avc:  denied  { getattr } for  pid=15283 comm=httpd path=/var/lib/net-snmp dev=vda3 ino=3512 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=PATH msg=audit(11/26/2015 09:04:44.791:383) : item=0 name=/var/lib/net-snmp/mib_indexes inode=3512 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/26/2015 09:04:44.791:383) :  cwd=/ 
type=SYSCALL msg=audit(11/26/2015 09:04:44.791:383) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fffde021ac0 a1=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a2=0x7fffde021add a3=0x0 items=1 ppid=1 pid=15283 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) 
type=AVC msg=audit(11/26/2015 09:04:44.791:383) : avc:  denied  { search } for  pid=15283 comm=httpd name=net-snmp dev=vda3 ino=3512 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----

Expected results:
 * no SELinux denials
Comment 1 Milos Malik 2015-11-26 09:07:07 UTC 
Actual results from another machine (permissive mode):
----
time->Thu Nov 26 04:04:03 2015
type=PATH msg=audit(1448528643.223:328): item=0 name="/var/lib/net-snmp" inode=400635 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL
type=CWD msg=audit(1448528643.223:328):  cwd="/"
type=SYSCALL msg=audit(1448528643.223:328): arch=c000003e syscall=4 success=yes exit=0 a0=7fbdebbc7da0 a1=7ffe5a43bdb0 a2=7ffe5a43bdb0 a3=12 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.223:328): avc:  denied  { getattr } for  pid=30454 comm="httpd" path="/var/lib/net-snmp" dev=vda1 ino=400635 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Thu Nov 26 04:04:03 2015
type=PATH msg=audit(1448528643.225:329): item=0 name="/var/lib/net-snmp/snmp.0.conf" nametype=UNKNOWN
type=CWD msg=audit(1448528643.225:329):  cwd="/"
type=SYSCALL msg=audit(1448528643.225:329): arch=c000003e syscall=4 success=no exit=-2 a0=7ffe5a43be40 a1=7ffe5a43bdb0 a2=7ffe5a43bdb0 a3=0 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.225:329): avc:  denied  { search } for  pid=30454 comm="httpd" name="net-snmp" dev=vda1 ino=400635 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Thu Nov 26 04:04:03 2015
type=PATH msg=audit(1448528643.225:330): item=0 name="/var/lib/net-snmp/mib_indexes" inode=401260 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL
type=CWD msg=audit(1448528643.225:330):  cwd="/"
type=SYSCALL msg=audit(1448528643.225:330): arch=c000003e syscall=2 success=yes exit=8 a0=7ffe5a43be80 a1=90800 a2=7ffe5a43be9d a3=0 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.225:330): avc:  denied  { open } for  pid=30454 comm="httpd" name="mib_indexes" dev=vda1 ino=401260 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1448528643.225:330): avc:  denied  { read } for  pid=30454 comm="httpd" name="mib_indexes" dev=vda1 ino=401260 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Thu Nov 26 04:04:03 2015
type=PATH msg=audit(1448528643.226:331): item=0 name="/var/lib/net-snmp/mib_indexes/0" inode=402188 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL
type=CWD msg=audit(1448528643.226:331):  cwd="/"
type=SYSCALL msg=audit(1448528643.226:331): arch=c000003e syscall=2 success=yes exit=9 a0=7ffe5a43be80 a1=0 a2=1b6 a3=0 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.226:331): avc:  denied  { open } for  pid=30454 comm="httpd" name="0" dev=vda1 ino=402188 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1448528643.226:331): avc:  denied  { read } for  pid=30454 comm="httpd" name="0" dev=vda1 ino=402188 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1448528643.226:331): avc:  denied  { search } for  pid=30454 comm="httpd" name="mib_indexes" dev=vda1 ino=401260 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Thu Nov 26 04:04:03 2015
type=SYSCALL msg=audit(1448528643.226:332): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffe5a43bbc0 a2=7ffe5a43bbc0 a3=0 items=0 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.226:332): avc:  denied  { getattr } for  pid=30454 comm="httpd" path="/var/lib/net-snmp/mib_indexes/0" dev=vda1 ino=402188 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
Comment 2 Miroslav Grepl 2015-11-30 11:57:22 UTC 
We have

optional_policy(`
    snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
    snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
')

in RHEL-7.
Comment 6 errata-xmlrpc 2016-05-10 20:02:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html