Bug 1713898

Summary: SELinux is preventing snmpd from 'sys_ptrace' accesses on the cap_userns Desconhecido.
Product: [Fedora] Fedora Reporter: oseiasflores <osf182>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 30CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:00cee90284f6ce5712511d1074ca494c1c2f3a72f7d6307e3243e3b5db180bb0;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.14.3-53.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-11 01:32:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description oseiasflores 2019-05-25 14:51:43 UTC 
Description of problem:
snmpwalk -v2c -c trab2redes localhost
SELinux is preventing snmpd from 'sys_ptrace' accesses on the cap_userns Desconhecido.

*****  Plugin catchall (100. confidence) suggests   **************************

Se você acredita nisso snmpd deve ser permitido sys_ptrace acesso no Desconhecido cap_userns por padrão.
Then você deve informar que este é um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso por agora executando: # ausearch -c 'snmpd'--raw | audit2allow -M my-snmpd # semodule -X 300 -i my-snmpd.pp

Additional Information:
Source Context                system_u:system_r:snmpd_t:s0
Target Context                system_u:system_r:snmpd_t:s0
Target Objects                Desconhecido [ cap_userns ]
Source                        snmpd
Source Path                   snmpd
Port                          <Desconhecido>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-37.fc30.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.0.17-300.fc30.x86_64 #1 SMP Mon
                              May 20 15:36:26 UTC 2019 x86_64 x86_64
Alert Count                   964
First Seen                    2019-05-25 11:09:07 -03
Last Seen                     2019-05-25 11:42:29 -03
Local ID                      2cc13fb2-80c6-4abc-a063-65a5c6edb715

Raw Audit Messages
type=AVC msg=audit(1558795349.818:1209): avc:  denied  { sys_ptrace } for  pid=782 comm="snmpd" capability=19  scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=cap_userns permissive=0


Hash: snmpd,snmpd_t,snmpd_t,cap_userns,sys_ptrace

Version-Release number of selected component:
selinux-policy-3.14.3-37.fc30.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         5.0.17-300.fc30.x86_64
type:           libreport
Comment 1 Lukas Vrabec 2019-05-27 08:04:17 UTC 
Hi, 

Do you see any issues with snmpd or you just got this SELinux denial without any affect on functionality? 

Thanks,
Lukas.
Comment 2 oseiasflores 2019-11-26 12:27:00 UTC 
First, I would like to apologize for the delay in making this response.

About your question: The system now sends "endless" notifications. With each new read, a system notification occurs, as my "get" went to every tree, I received so many notifications that the system crashed until all notifications were displayed. So yes, that made the system unstable for more than 10 minutes or so. I solved the problem by disabling system notifications and beeps.
Comment 3 Lukas Vrabec 2019-11-26 14:12:54 UTC 
Thanks for update. 

commit adc572faae590e87ef91f8ba3ee8e99f92a531ea (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Nov 26 14:50:46 2019 +0100

    Allow snmpd_t domain to trace processes in user namespace
    
    Resolves: rhbz#1713898
Comment 4 Fedora Update System 2019-12-04 07:50:21 UTC 
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 5 Fedora Update System 2019-12-05 02:00:44 UTC 
selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 6 Fedora Update System 2019-12-06 19:20:37 UTC 
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 7 Fedora Update System 2019-12-07 02:17:47 UTC 
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 8 Fedora Update System 2019-12-11 01:32:03 UTC 
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.