Bug 1285674
Summary: | SELinux prevents httpd (started by piranha-gui) from accessing /var/lib/net-snmp | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.7 | CC: | bperkins, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-285.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-05-10 20:02:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2015-11-26 08:59:49 UTC
Actual results from another machine (permissive mode): ---- time->Thu Nov 26 04:04:03 2015 type=PATH msg=audit(1448528643.223:328): item=0 name="/var/lib/net-snmp" inode=400635 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL type=CWD msg=audit(1448528643.223:328): cwd="/" type=SYSCALL msg=audit(1448528643.223:328): arch=c000003e syscall=4 success=yes exit=0 a0=7fbdebbc7da0 a1=7ffe5a43bdb0 a2=7ffe5a43bdb0 a3=12 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) type=AVC msg=audit(1448528643.223:328): avc: denied { getattr } for pid=30454 comm="httpd" path="/var/lib/net-snmp" dev=vda1 ino=400635 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- time->Thu Nov 26 04:04:03 2015 type=PATH msg=audit(1448528643.225:329): item=0 name="/var/lib/net-snmp/snmp.0.conf" nametype=UNKNOWN type=CWD msg=audit(1448528643.225:329): cwd="/" type=SYSCALL msg=audit(1448528643.225:329): arch=c000003e syscall=4 success=no exit=-2 a0=7ffe5a43be40 a1=7ffe5a43bdb0 a2=7ffe5a43bdb0 a3=0 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) type=AVC msg=audit(1448528643.225:329): avc: denied { search } for pid=30454 comm="httpd" name="net-snmp" dev=vda1 ino=400635 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- time->Thu Nov 26 04:04:03 2015 type=PATH msg=audit(1448528643.225:330): item=0 name="/var/lib/net-snmp/mib_indexes" inode=401260 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL type=CWD msg=audit(1448528643.225:330): cwd="/" type=SYSCALL msg=audit(1448528643.225:330): arch=c000003e syscall=2 success=yes exit=8 a0=7ffe5a43be80 a1=90800 a2=7ffe5a43be9d a3=0 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) type=AVC msg=audit(1448528643.225:330): avc: denied { open } for pid=30454 comm="httpd" name="mib_indexes" dev=vda1 ino=401260 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir type=AVC msg=audit(1448528643.225:330): avc: denied { read } for pid=30454 comm="httpd" name="mib_indexes" dev=vda1 ino=401260 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- time->Thu Nov 26 04:04:03 2015 type=PATH msg=audit(1448528643.226:331): item=0 name="/var/lib/net-snmp/mib_indexes/0" inode=402188 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL type=CWD msg=audit(1448528643.226:331): cwd="/" type=SYSCALL msg=audit(1448528643.226:331): arch=c000003e syscall=2 success=yes exit=9 a0=7ffe5a43be80 a1=0 a2=1b6 a3=0 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) type=AVC msg=audit(1448528643.226:331): avc: denied { open } for pid=30454 comm="httpd" name="0" dev=vda1 ino=402188 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file type=AVC msg=audit(1448528643.226:331): avc: denied { read } for pid=30454 comm="httpd" name="0" dev=vda1 ino=402188 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file type=AVC msg=audit(1448528643.226:331): avc: denied { search } for pid=30454 comm="httpd" name="mib_indexes" dev=vda1 ino=401260 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- time->Thu Nov 26 04:04:03 2015 type=SYSCALL msg=audit(1448528643.226:332): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffe5a43bbc0 a2=7ffe5a43bbc0 a3=0 items=0 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) type=AVC msg=audit(1448528643.226:332): avc: denied { getattr } for pid=30454 comm="httpd" path="/var/lib/net-snmp/mib_indexes/0" dev=vda1 ino=402188 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file ---- We have optional_policy(` snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t) snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t) ') in RHEL-7. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0763.html |