Bug 134174
| Summary: | snmpd cannot create /var/net-snmp | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Matthew Booth <mbooth> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | CC: | rvokal |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-10-12 06:58:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 123268 | ||
Please send avc messages and /var/log/messages Can we add this directory to the rpm so it is created by default. Then I can easily add policy to allow snmpd to write to the directory. Dan I would have attached log file output in the first instance but unfortunately, owing mostly to an office move, I no longer have access to a RHEL4 Beta 1 box. They're seriously simple to generate, though: Just type: "service snmpd start" :) Ok I fixed policy, although I still believe this directory should be installed by RPM. selinux-policy-*-1_17_24-4 Contains fix. Looks like we might have traded one avc message for another here.
With 1.17.24-4 and 1.17.25-1, I'm not longer getting the error
attempting to create the directory, but I am getting the following:
Oct 1 09:49:00 heisey kernel: audit(1096616940.819:0): avc: denied
{ getattr } for pid=8439 exe=/usr/sbin/snmpd
path=/var/lib/rpm/Packages dev=hda2 ino=616518
scontext=root:system_r:snmpd_t tcontext=system_u:object_r:var_lib_t
tclass=file
Although as I've already mentioned I don't have a machine to test right now, I also saw that error before anything was changed, but didn't report it because I couldn't think why snmpd would be looking there. Thinking about it more now, the net-snmp agent will display a great deal of host information, including amongst other things what rpms are installed. This aspect of snmpd may require fairly broad read permissions in order to function correctly. Looks like we might have traded one avc message for another here.
With 1.17.24-4 and 1.17.25-1, I'm not longer getting the error
attempting to create the directory, but I am getting the following:
Oct 1 09:49:00 heisey kernel: audit(1096616940.819:0): avc: denied
{ getattr } for pid=8439 exe=/usr/sbin/snmpd
path=/var/lib/rpm/Packages dev=hda2 ino=616518
scontext=root:system_r:snmpd_t tcontext=system_u:object_r:var_lib_t
tclass=file
Could either of you turn setenforce 0 and run the snmpd tools to find out all the stuff it needs. Rather than doing this piecemail. Thanks. Dan Ok I have updated policy to label /var/lib/rpm correctly. Please upgrade to selinux-policy-targeted-1.17.28 or greater and restorecon -R /var/lib/rpm Dan Indeed, selinux-policy-targeted-1.17.29-3, in concert with an updated policycoreutils which provides the "restorecon -R" functionality does resolve this issue. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040909 Description of problem: The default policy doesn't allow snmpd to create the /var/net-snmp. snmp will appear to function with reduced functionality if it is unable to create this directory. To the best of my knowledge it will only ever contain a single file, snmpd.conf (different to /etc/snmp/snmpd.conf) which it uses to persist automatically generated config data. This file should not be world readable. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Enable the targeted se linux policy 2. Start snmpd Actual Results: Errors produced in /var/log/messages by snmpd and selinux indicating failure to create /var/net-snmp directory. Expected Results: snmpd can create /var/net-snmp directory and snmpd.conf in it. Other users cannot view this directory or its contents. Additional info: