Bug 1991029
| Summary: | SELinux is preventing /usr/sbin/lldpd from {search and create} access on the directory /var/agentx/master. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Alena <alrodrig> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.4 | CC: | d.perry, lvrabec, mmalik, mpagan, ssekidde | |
| Target Milestone: | beta | Keywords: | AutoVerified, Triaged | |
| Target Release: | 8.6 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-86.el8 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2033315 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-10 15:15:05 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(12/16/2021 05:26:21.733:353) : proctitle=/usr/sbin/lldpd -x
type=PATH msg=audit(12/16/2021 05:26:21.733:353) : item=0 name=/var/agentx/master inode=41943498 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/16/2021 05:26:21.733:353) : cwd=/
type=SOCKADDR msg=audit(12/16/2021 05:26:21.733:353) : saddr={ saddr_fam=local path=/var/agentx/master }
type=SYSCALL msg=audit(12/16/2021 05:26:21.733:353) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x7 a1=0x55ddf5046980 a2=0x6e a3=0x0 items=1 ppid=1 pid=6019 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(12/16/2021 05:26:21.733:353) : avc: denied { connectto } for pid=6019 comm=lldpd path=/var/agentx/master scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(12/16/2021 05:26:21.733:353) : avc: denied { write } for pid=6019 comm=lldpd name=master dev="vda1" ino=41943498 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(12/16/2021 05:26:21.733:353) : avc: denied { search } for pid=6019 comm=lldpd name=agentx dev="vda1" ino=41943497 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=1
----
# rpm -qa selinux\*
selinux-policy-3.14.3-85.el8.noarch
selinux-policy-targeted-3.14.3-85.el8.noarch
#
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/982 To backport:
commit e7f00c5591082ab84c055ba250b361eefa19eb0d (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Mon Jan 3 12:27:28 2022 +0100
Allow lldpd connect to snmpd with a unix domain stream socket
https://gitlab.cee.redhat.com/SELinux/selinux-policy/-/commit/1d86c82abf7dfb9d30a00ceefc50a5040b468c87?merge_request_iid=405 commit 1d86c82abf7dfb9d30a00ceefc50a5040b468c87 (HEAD -> rhel8.6-contrib, upstream/rhel8.6-contrib, origin/rhel8.6-contrib) Author: Zdenek Pytela <zpytela> Date: Mon Jan 3 12:27:28 2022 +0100 Allow lldpd connect to snmpd with a unix domain stream socket If the lldpd service is configured to enable the SNMP subagent (using the -x option), the lldpd process tries to connect to snmpd's agentx. By default, the /var/agentx/master socket file is used. Addresses the following AVC denial: type=PROCTITLE msg=audit(01/03/22 06:21:57.359:417) : proctitle=/usr/sbin/lldpd -x type=PATH msg=audit(01/03/22 06:21:57.359:417) : item=0 name=/var/agentx/master nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/03/22 06:21:57.359:417) : cwd=/ type=SOCKADDR msg=audit(01/03/22 06:21:57.359:417) : saddr={ saddr_fam=local path=/var/agentx/master } type=SYSCALL msg=audit(01/03/22 06:21:57.359:417) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x5586e8de9980 a2=0x6e a3=0x0 items=1 ppid=1 pid=12595 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) type=AVC msg=audit(01/03/22 06:21:57.359:417) : avc: denied { search } for pid=12595 comm=lldpd name=agentx dev="vda1" ino=2034987 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0 Resolves: rhbz#1991029 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |
The following SELinux denial appears in enforcing mode: ---- type=PROCTITLE msg=audit(12/16/2021 05:21:24.716:329) : proctitle=/usr/sbin/lldpd -x type=PATH msg=audit(12/16/2021 05:21:24.716:329) : item=0 name=/var/agentx/master nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(12/16/2021 05:21:24.716:329) : cwd=/ type=SOCKADDR msg=audit(12/16/2021 05:21:24.716:329) : saddr={ saddr_fam=local path=/var/agentx/master } type=SYSCALL msg=audit(12/16/2021 05:21:24.716:329) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x7 a1=0x55dff95e3980 a2=0x6e a3=0x0 items=1 ppid=1 pid=5978 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) type=AVC msg=audit(12/16/2021 05:21:24.716:329) : avc: denied { search } for pid=5978 comm=lldpd name=agentx dev="vda1" ino=41943497 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0 ---- The second SELinux denial mentioned in comment#0 is already addressed in BZ#2028379.