Bug 134174
Summary: | snmpd cannot create /var/net-snmp | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Matthew Booth <mbooth> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | rvokal |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-10-12 06:58:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 123268 |
Description
Matthew Booth
2004-09-29 23:06:36 UTC
Please send avc messages and /var/log/messages Can we add this directory to the rpm so it is created by default. Then I can easily add policy to allow snmpd to write to the directory. Dan I would have attached log file output in the first instance but unfortunately, owing mostly to an office move, I no longer have access to a RHEL4 Beta 1 box. They're seriously simple to generate, though: Just type: "service snmpd start" :) Ok I fixed policy, although I still believe this directory should be installed by RPM. selinux-policy-*-1_17_24-4 Contains fix. Looks like we might have traded one avc message for another here. With 1.17.24-4 and 1.17.25-1, I'm not longer getting the error attempting to create the directory, but I am getting the following: Oct 1 09:49:00 heisey kernel: audit(1096616940.819:0): avc: denied { getattr } for pid=8439 exe=/usr/sbin/snmpd path=/var/lib/rpm/Packages dev=hda2 ino=616518 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:var_lib_t tclass=file Although as I've already mentioned I don't have a machine to test right now, I also saw that error before anything was changed, but didn't report it because I couldn't think why snmpd would be looking there. Thinking about it more now, the net-snmp agent will display a great deal of host information, including amongst other things what rpms are installed. This aspect of snmpd may require fairly broad read permissions in order to function correctly. Looks like we might have traded one avc message for another here. With 1.17.24-4 and 1.17.25-1, I'm not longer getting the error attempting to create the directory, but I am getting the following: Oct 1 09:49:00 heisey kernel: audit(1096616940.819:0): avc: denied { getattr } for pid=8439 exe=/usr/sbin/snmpd path=/var/lib/rpm/Packages dev=hda2 ino=616518 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:var_lib_t tclass=file Could either of you turn setenforce 0 and run the snmpd tools to find out all the stuff it needs. Rather than doing this piecemail. Thanks. Dan Ok I have updated policy to label /var/lib/rpm correctly. Please upgrade to selinux-policy-targeted-1.17.28 or greater and restorecon -R /var/lib/rpm Dan Indeed, selinux-policy-targeted-1.17.29-3, in concert with an updated policycoreutils which provides the "restorecon -R" functionality does resolve this issue. |