Bug 185296
Summary: | snmpd generates avc: denied messages | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Peter Bieringer <pb> |
Component: | selinux-policy-targeted | Assignee: | Russell Coker <rcoker> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2006-0373 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-08-10 21:20:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 181409 |
Description
Peter Bieringer
2006-03-13 13:06:54 UTC
Fixed in selinux-policy-targeted-1.17.30-2.132 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0373.html Confirming problem is fixed. Hmm, while problem is gone on 2 other systems, it stays on one system which is similar to one of the others: Sep 26 12:40:55 server audit(1159267255.028:1807): avc: denied { read } for pid=26075 comm="snmpd" name="config" dev=md1 ino=177784 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:selinux_config_t tclass=file Sep 26 12:40:55 server audit(1159267255.028:1808): avc: denied { getattr } for pid=26075 comm="snmpd" name="config" dev=md1 ino=177784 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:selinux_config_t tclass=file # ls -Z /dev/md1 brw-rw---- root disk system_u:object_r:fixed_disk_device_t /dev/md1 is identically on both systems. Can one please point me where to look deeper for comparing? Are you running in permissive mode on this machine and enforcing on the others? Both are in permissive mode. I checked another box (different setup), running selinux-policy-targeted-1.17.30-2.140. Here it occurs, too on "service snmpd restart". Do you have any hints how to debug this issue? We do not care about avc messages in permissive mode. The way the policy works is we have a dontaudit when trying to read the /etc/selinux directory. Which in enforcing mode would prevent the app from continuing. So no AVC would be generated, but in permissive mode the app continues and tries to read files that it is not allowed (by policy) to read. So AVC's are generated. So only if you can generate these avc's in enforcing, it is a bug. I've tried now with selinux in enforcing mode on both nodes and as you expected, the messages are gone now. Funny that even on one system with has still permissive mode, such message didn't appear, while it is mostly identical to one of the others. Anyway, reason is now known, thank you for assistance. |