Bug 158056

Summary: snmpd don't report running processes
Product: Red Hat Enterprise Linux 4 Reporter: Mikkel Kruse Johnsen <mkj.lib>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: matt, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2005-645 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-05 16:34:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 156322    

Description Mikkel Kruse Johnsen 2005-05-18 08:56:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
Running snmpget against a server running httpd (and "proc httpd 30 5" in the config) reports:

[root@dogwood rrdtool]# snmpget -v 2c mandio.cbs.dk -c library .1.3.6.1.4.1.2021.2.1.3.1 .1.3.6.1.4.1.2021.2.1.4.1 .1.3.6.1.4.1.2021.2.1.5.1
UCD-SNMP-MIB::prMin.1 = INTEGER: 5
UCD-SNMP-MIB::prMax.1 = INTEGER: 30
UCD-SNMP-MIB::prCount.1 = INTEGER: 0

And the server is running httpd:
.....
29475 ?        S      1:12 /usr/sbin/httpd
29476 ?        S      1:59 /usr/sbin/httpd
29477 ?        S      1:44 /usr/sbin/httpd
31041 ?        S      1:02 /usr/sbin/httpd
31042 ?        S      0:41 /usr/sbin/httpd
31043 ?        S      0:38 /usr/sbin/httpd
31511 ?        Ss     0:00 sshd: root@pts/0
31517 pts/0    Ss     0:00 -bash
31591 ?        S      0:00 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a
31806 ?        S      0:09 /usr/sbin/httpd
31921 pts/0    R+     0:00 ps ax
[root@mandio log]#


Version-Release number of selected component (if applicable):
net-snmp-5.1.2-11

How reproducible:
Always

Steps to Reproduce:
1. snmpget -v 2c mandio.cbs.dk -c library .1.3.6.1.4.1.2021.2.1.3.1 .1.3.6.1.4.1.2021.2.1.4.1 .1.3.6.1.4.1.2021.2.1.5.1
  

Actual Results:  UCD-SNMP-MIB::prMin.1 = INTEGER: 5
UCD-SNMP-MIB::prMax.1 = INTEGER: 30
UCD-SNMP-MIB::prCount.1 = INTEGER: 0

Expected Results:  UCD-SNMP-MIB::prMin.1 = INTEGER: 5
UCD-SNMP-MIB::prMax.1 = INTEGER: 30
UCD-SNMP-MIB::prCount.1 = INTEGER: 23 (some number)

Additional info:

Comment 1 Radek Vokál 2005-05-19 07:39:01 UTC
This seems to be a SELinux issue. Can you please try if this also happens on
your system when you have SELinux turned off? eg. try `setenforce 0` and
`service snmpd restart` 




Comment 2 Mikkel Kruse Johnsen 2005-05-19 07:53:18 UTC
Yes it seems to be a SELinux problem. After running "setenforce 0" it worked and
stopped working again after "setenforce 1".

Comment 4 Daniel Walsh 2005-05-19 14:13:15 UTC
Are you seeing any avc messages in /var/log/messages or /var/log/audit/audit.log?

Dan

Comment 5 Mikkel Kruse Johnsen 2005-05-19 14:30:09 UTC
There is no avc messages in /var/log/messages and I don't have audit running (no
/var/log/audit/audit.log file).

Comment 6 Daniel Walsh 2005-05-19 14:34:25 UTC
Ok can you update to selinux policy rpms in U1.
They are available in 

ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u1

Check to see if it works.  If not, could you try
install selinux-policy-targeted-sources

cd /etc/selinux/targeted/src/policy
make enableaudit; make load

Then try to cause the problem and see if there are AVC messages.

Dan


Comment 7 Mikkel Kruse Johnsen 2005-05-19 14:57:53 UTC
Doing:

cd /etc/selinux/targeted/src/policy
make enableaudit; make load

Resulted in:

May 19 16:50:01 mandio kernel: audit(1116514201.474:0): avc:  denied  { search }
for  pid=13916 exe=/usr/sbin/snmpd name=1 dev=proc ino=65538
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:unconfined_t tclass=dir

Being printed in /var/log/messages

Olso updated to:

policycoreutils-1.18.1-4.3.i386.rpm
setools-1.5.1-5.1.i386.rpm

and did:
cd /etc/selinux/targeted/src/policy
make enableaudit; make load

Reported the same avc error.



Comment 8 Daniel Walsh 2005-05-19 15:02:18 UTC
Ok one last thing.  do

setenforce 0
run snmp and see if it reports any other errors.

Dan

Comment 9 Mikkel Kruse Johnsen 2005-05-19 15:27:08 UTC
Doing "setenforce 0" resulted in the following the first run, but any runs after
did'nt print anything.


---
May 19 17:22:54 mandio kernel: audit(1116516174.636:0): avc:  denied  { search }
for  pid=13916 exe=/usr/sbin/snmpd name=1 dev=proc ino=65538
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:unconfined_t tclass=dir
May 19 17:22:54 mandio kernel: audit(1116516174.636:0): avc:  denied  { read }
for  pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=65540
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:unconfined_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.636:0): avc:  denied  { getattr
} for  pid=13916 exe=/usr/sbin/snmpd path=/proc/1/status dev=proc ino=65540
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:unconfined_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.639:0): avc:  denied  { search }
for  pid=13916 exe=/usr/sbin/snmpd name=1814 dev=proc ino=118882306
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:syslogd_t tclass=dir
May 19 17:22:54 mandio kernel: audit(1116516174.639:0): avc:  denied  { read }
for  pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=118882308
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:syslogd_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.639:0): avc:  denied  { getattr
} for  pid=13916 exe=/usr/sbin/snmpd path=/proc/1814/status dev=proc
ino=118882308 scontext=user_u:system_r:snmpd_t
tcontext=user_u:system_r:syslogd_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.640:0): avc:  denied  { search }
for  pid=13916 exe=/usr/sbin/snmpd name=1845 dev=proc ino=120913922
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:portmap_t tclass=dir
May 19 17:22:54 mandio kernel: audit(1116516174.640:0): avc:  denied  { read }
for  pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=120913924
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:portmap_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.641:0): avc:  denied  { getattr
} for  pid=13916 exe=/usr/sbin/snmpd path=/proc/1845/status dev=proc
ino=120913924 scontext=user_u:system_r:snmpd_t
tcontext=user_u:system_r:portmap_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.642:0): avc:  denied  { search }
for  pid=13916 exe=/usr/sbin/snmpd name=3161 dev=proc ino=207159298
scontext=user_u:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=dir
May 19 17:22:54 mandio kernel: audit(1116516174.642:0): avc:  denied  { read }
for  pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=207159300
scontext=user_u:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc:  denied  { getattr
} for  pid=13916 exe=/usr/sbin/snmpd path=/proc/3161/status dev=proc
ino=207159300 scontext=user_u:system_r:snmpd_t
tcontext=root:system_r:unconfined_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc:  denied  { search }
for  pid=13916 exe=/usr/sbin/snmpd name=3270 dev=proc ino=214302722
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:ntpd_t tclass=dir
May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc:  denied  { read }
for  pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=214302724
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:ntpd_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc:  denied  { getattr
} for  pid=13916 exe=/usr/sbin/snmpd path=/proc/3270/status dev=proc
ino=214302724 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:ntpd_t
tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc:  denied  { search }
for  pid=13916 exe=/usr/sbin/snmpd name=15085 dev=proc ino=988610562
scontext=user_u:system_r:snmpd_t tcontext=system_u:system_r:unconfined_t tclass=dir
May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc:  denied  { read }
for  pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=988610564
scontext=user_u:system_r:snmpd_t tcontext=system_u:system_r:unconfined_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc:  denied  { getattr
} for  pid=13916 exe=/usr/sbin/snmpd path=/proc/15085/status dev=proc
ino=988610564 scontext=user_u:system_r:snmpd_t
tcontext=system_u:system_r:unconfined_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.644:0): avc:  denied  { search }
for  pid=13916 exe=/usr/sbin/snmpd name=16230 dev=proc ino=1063649282
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:httpd_t tclass=dir
May 19 17:22:54 mandio kernel: audit(1116516174.644:0): avc:  denied  { read }
for  pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=1063649284
scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:httpd_t tclass=file
May 19 17:22:54 mandio kernel: audit(1116516174.644:0): avc:  denied  { getattr
} for  pid=13916 exe=/usr/sbin/snmpd path=/proc/16230/status dev=proc
ino=1063649284 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:httpd_t
tclass=file
----

Comment 10 Daniel Walsh 2005-05-19 15:43:14 UTC
Ok, I am going to add policy to allow this.  Problem is it will take a while to
get it into RHEL4/U2.  You can set snmpd_disable_trans to disable snmp transition
for now, if you want this behaviour to work.
setsebool -P snmpd_disable_trans=1
service snmpd restart


Comment 11 Red Hat Bugzilla 2005-10-05 16:34:25 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-645.html