Bug 211870

Summary: AVC thrown when doing SNMP Querry of Disk Usage
Product: Red Hat Enterprise Linux 4 Reporter: Chris Stankaitis <cstankaitis>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0171 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-01 22:48:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Stankaitis 2006-10-23 16:23:19 UTC 
Description of problem:

When our cacti system does an snmp query of our linux boxes and hits the OID
which involves partitions and diskspace, the system will start throwing AVC.  it
does not appear to affect SNMP's ability to get results from the SNMP MIB's
however as cacti is still able to graph, however /var/log/messages is full of spam.

Version-Release number of selected component (if applicable):

net-snmp-utils-5.1.2-11.EL4.6.i386
net-snmp-libs-5.1.2-11.EL4.6.i386
net-snmp-5.1.2-11.EL4.6.i386


How reproducible:

Always


Steps to Reproduce:

1. snmpwalk -v 1 -c $communitystring $hostname
2. on host - tail -f /var/log/messages

  
Actual results:


Oct 23 16:18:19 devgate kernel: audit(1161620299.027:222): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=usbfs ino=1024
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.028:223): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=hdb1 ino=2
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.029:224): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=hdb5 ino=2
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:home_root_t tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.031:225): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=binfmt_misc ino=4598
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:binfmt_misc_fs_t
tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.321:226): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=usbfs ino=1024
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.322:227): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=hdb1 ino=2
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.324:228): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=hdb5 ino=2
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:home_root_t tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.326:229): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=binfmt_misc ino=4598
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:binfmt_misc_fs_t
tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.338:230): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=usbfs ino=1024
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.339:231): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=hdb1 ino=2
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.340:232): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=hdb5 ino=2
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:home_root_t tclass=dir
Oct 23 16:18:19 devgate kernel: audit(1161620299.342:233): avc:  denied  {
getattr } for  pid=1760 comm="snmpd" name="/" dev=binfmt_misc ino=4598
scontext=user_u:system_r:snmpd_t tcontext=system_u:object_r:binfmt_misc_fs_t
tclass=dir

# audit2allow -d
allow snmpd_t binfmt_misc_fs_t:dir getattr;
allow snmpd_t boot_t:dir getattr;
allow snmpd_t home_root_t:dir getattr;
allow snmpd_t usbfs_t:dir getattr;



Expected results:

no AVC's no syslog spam
Comment 1 Chris Stankaitis 2006-10-23 16:24:45 UTC 
BAH forgot to note:

selinux-policy-targeted-1.17.30-2.126.noarch
Comment 2 Chris Stankaitis 2006-11-20 19:38:57 UTC 
been almost a month, can someone take a look at this and comment?
Comment 3 Chris Stankaitis 2007-01-25 17:28:22 UTC 
Still a problem in selinux-policy-targeted-1.17.30-2.140.noarch can someone
please address this?
Comment 4 Daniel Walsh 2007-01-29 14:55:09 UTC 
Fixed in 1.17.30-2.142
Comment 5 Chris Stankaitis 2007-01-30 14:15:24 UTC 
thanks Dan!
Comment 11 Red Hat Bugzilla 2007-05-01 22:48:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0171.html