Bug 2131828

Summary:	RHDS SNMP agent fails to start with selinux SELinux errors
Product:	Red Hat Directory Server	Reporter:	Marc Sauton <msauton>
Component:	389-ds-base	Assignee:	Viktor Ashirov <vashirov>
Status:	CLOSED MIGRATED	QA Contact:	LDAP QA Team <idm-ds-qe-bugs>
Severity:	high	Docs Contact:	Evgenia Martynyuk <emartyny>
Priority:	medium
Version:	11.5	CC:	idm-ds-dev-bugs, jyoung, mmalik, mreynolds, musoni, progier, tbordaz, vashirov
Target Milestone:	DS11.9	Keywords:	Triaged
Target Release:	dirsrv-11.9
Hardware:	All
OS:	Linux
Whiteboard:	sync-to-jira
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2024-06-26 13:52:50 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marc Sauton 2022-10-03 20:20:46 UTC

Description of problem:

The RHDS SNMP agent fails to start with selinux SELinux errors
There are several SELinux definitions that are missing 

Version-Release number of selected component (if applicable):
RHDS-11.5 on RHEL-8.6

How reproducible:
on demand

Steps to Reproduce:

1. Have RHDS-11.5 installed and an instance running with some data

2. for the admin guide to start the SNMP configuration
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/monitoring_ds_using_snmp#doc-wrapper
21.10. Monitoring Directory Server Using SNMP
21.10.4. Setting up an SNMP Agent for Directory Server

An RHDS instance is running:
dsctl m1 status
Instance "m1" is running

SNMP is configured:
systemctl start snmpd
ps ax | egrep "snmp|agent"
  35799 ?        Ss     0:00 /usr/sbin/snmpd -LS0-6d -f


3. 21.10.4. Setting up an SNMP Agent for Directory Server
Start the dirsrv-snmp service:


Actual results:

Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#



Expected results:
yes
see "solution" at the end of "Additional Information"



Additional info:

RHDS-11.5 RHEL-8.6

cat /etc/redhat-release ; uname -a ; rpm -q nss nspr 389-ds-base redhat-ds sssd
Red Hat Enterprise Linux release 8.6 (Ootpa)
Linux m1.example.test 4.18.0-372.9.1.el8.x86_64 #1 SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
nss-3.67.0-7.el8_5.x86_64
nspr-4.32.0-1.el8_4.x86_64
389-ds-base-1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
package redhat-ds is not installed
sssd-2.6.2-3.el8.x86_64
[root@m1 ~]#

yum module info redhat-ds:11 | less
...
Name             : redhat-ds
Stream           : 11 [d][e][a]
Version          : 8060020220328133644
Context          : fd2afb17
Architecture     : x86_64
Profiles         : default [d] [i], legacy, minimal
Default profiles : default
Repo             : dirsrv-11-for-rhel-8-x86_64-rpms
Summary          : Red Hat Directory Server 11.5
Description      : The Red Hat Directory Server is an LDAPv3 compliant server.
Requires         : platform:[el8]
Artifacts        : 389-ds-base-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.src
                 : 389-ds-base-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-debugsource-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-devel-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-legacy-tools-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-legacy-tools-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-libs-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-libs-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-snmp-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-snmp-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : cockpit-389-ds-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.noarch
                 : python3-lib389-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.noarch

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled, [a]ctive
(END)


...


systemctl start dirsrv-snmp
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#


ps ax | egrep "snmp|agent"
  35799 ?        Ss     0:00 /usr/sbin/snmpd -LS0-6d -f
[root@m1 ~]#

snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB | grep -i rhds
->
nothing


less /var/log/messages
...
Oct  3 19:04:36 m1 setroubleshoot[57601]: SELinux is preventing /usr/sbin/snmpd from sys_ptrace access on the cap_userns labeled snmpd_t. For complete SELinux messages run: sealert -l d5ce697b-7ad1-41e8-8c69-0320ed90c703
Oct  3 19:04:36 m1 setroubleshoot[57601]: SELinux is preventing /usr/sbin/snmpd from sys_ptrace access on the cap_userns labeled snmpd_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that snmpd should be allowed sys_ptrace access on cap_userns labeled snmpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'snmpd' --raw | audit2allow -M my-snmpd#012# semodule -X 300 -i my-snmpd.pp#012
(END)


sealert -l d5ce697b-7ad1-41e8-8c69-0320ed90c703
SELinux is preventing /usr/sbin/snmpd from sys_ptrace access on the cap_userns labeled snmpd_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snmpd should be allowed sys_ptrace access on cap_userns labeled snmpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snmpd' --raw | audit2allow -M my-snmpd
MPORTANT ***********************
To make this policy package active, execute:

semodule -i my-snmpd.pp

[root@m1 ~]#


semodule -X 300 -i my-snmpd.pp

Source Context                system_u:system_r:snmpd_t:s0
Target Context                system_u:system_r:snmpd_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        snmpd
Source Path                   /usr/sbin/snmpd
Port                          <Unknown>
Host                          m1.example.test
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-95.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-95.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     m1.example.test
Platform                      Linux m1.example.test 4.18.0-372.9.1.el8.x86_64 #1
                              SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64
Alert Count                   745
First Seen                    2022-10-03 18:58:32 GMT
Last Seen                     2022-10-03 19:03:40 GMT
Local ID                      d5ce697b-7ad1-41e8-8c69-0320ed90c703

Raw Audit Messages
type=AVC msg=audit(1664823820.832:970): avc:  denied  { sys_ptrace } for  pid=35799 comm="snmpd" capability=19  scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=cap_userns permissive=0


Hash: snmpd,snmpd_t,snmpd_t,cap_userns,sys_ptrace

[root@m1 ~]#

->

ausearch -c 'snmpd' --raw | audit2allow -M my-snmpd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-snmpd.pp
[root@m1 ~]#


semodule -X 300 -i my-snmpd.pp



systemctl start dirsrv-snmp
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#

journalctl -xe
Oct 03 19:14:11 m1.example.test systemd[1]: Starting 389 Directory Server SNMP Subagent....
-- Subject: Unit dirsrv-snmp.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit dirsrv-snmp.service has begun starting up.
Oct 03 19:14:11 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.211' (uid=0 pid=851 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using service>
Oct 03 19:14:11 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 03 19:14:13 m1.example.test setroubleshoot[60443]: Deleting alert d5ce697b-7ad1-41e8-8c69-0320ed90c703, it is allowed in current policy
Oct 03 19:14:13 m1.example.test setroubleshoot[60443]: AnalyzeThread.run(): Cancel pending alarm
Oct 03 19:14:13 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.543' (uid=991 pid=60443 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="syst>
Oct 03 19:14:13 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Oct 03 19:14:14 m1.example.test setroubleshoot[60443]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability. For complete SELinux messages run: sealert -l de96bd1a-58ba-47a9-b2a6-8afe1dd995fb
Oct 03 19:14:14 m1.example.test setroubleshoot[60443]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability.

                                                       *****  Plugin dac_override (91.4 confidence) suggests   **********************

                                                       If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
                                                       Then turn on full auditing to get path information about the offending file and generate the error again.
                                                       Do

                                                       Turn on full auditing
                                                       # auditctl -w /etc/shadow -p w
                                                       Try to recreate AVC. Then execute
                                                       # ausearch -m avc -ts recent
                                                       If you see PATH record check ownership/permissions on file, and fix it,
                                                       otherwise report as a bugzilla.

                                                       *****  Plugin catchall (9.59 confidence) suggests   **************************

                                                       If you believe that ldap-agent should have the dac_override capability by default.
                                                       Then you should report this as a bug.
                                                       You can generate a local policy module to allow this access.
                                                       Do
                                                       allow this access for now by executing:
                                                       # ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
                                                       # semodule -X 300 -i my-ldapagent.pp

Oct 03 19:14:14 m1.example.test setroubleshoot[60443]: AnalyzeThread.run(): Set alarm timeout to 10
Oct 03 19:14:16 m1.example.test setroubleshoot[60443]: AnalyzeThread.run(): Cancel pending alarm
...
-- Unit dirsrv-snmp.service has failed.
--
-- The result is failed.
lines 3659-3684/3684 (END)


ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-ldapagent.pp

[root@m1 ~]#


semodule -X 300 -i my-ldapagent.pp


systemctl start dirsrv-snmp
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#

Oct 03 19:20:11 m1.example.test systemd[1]: Starting 389 Directory Server SNMP Subagent....
-- Subject: Unit dirsrv-snmp.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit dirsrv-snmp.service has begun starting up.
Oct 03 19:20:14 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.211' (uid=0 pid=851 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using service>
Oct 03 19:20:14 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 03 19:20:15 m1.example.test setroubleshoot[62262]: AnalyzeThread.run(): Cancel pending alarm
Oct 03 19:20:16 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.551' (uid=991 pid=62262 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="syst>
Oct 03 19:20:16 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Oct 03 19:20:16 m1.example.test setroubleshoot[62262]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability. For complete SELinux messages run: sealert -l de96bd1a-58ba-47a9-b2a6-8afe1dd995fb
Oct 03 19:20:16 m1.example.test setroubleshoot[62262]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability.

                                                       *****  Plugin dac_override (91.4 confidence) suggests   **********************

                                                       If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
                                                       Then turn on full auditing to get path information about the offending file and generate the error again.
                                                       Do

                                                       Turn on full auditing
                                                       # auditctl -w /etc/shadow -p w
                                                       Try to recreate AVC. Then execute
                                                       # ausearch -m avc -ts recent
                                                       If you see PATH record check ownership/permissions on file, and fix it,
                                                       otherwise report as a bugzilla.

                                                       *****  Plugin catchall (9.59 confidence) suggests   **************************

                                                       If you believe that ldap-agent should have the dac_override capability by default.
                                                       Then you should report this as a bug.
                                                       You can generate a local policy module to allow this access.
                                                       Do
                                                       allow this access for now by executing:
                                                       # ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
                                                       # semodule -X 300 -i my-ldapagent.pp

Oct 03 19:20:16 m1.example.test setroubleshoot[62262]: AnalyzeThread.run(): Set alarm timeout to 10
Oct 03 19:20:25 m1.example.test setroubleshoot[62262]: AnalyzeThread.run(): Cancel pending alarm


ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-ldapagent.pp

[root@m1 ~]#

semodule -X 300 -i my-ldapagent.pp


systemctl start dirsrv-snmp
FAILs


snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB | grep -i rhds
nothing



solution:


add some missing SELinux configuration:

cat << EOF > ~/rhds_snmp_selinux.te
module rhds_snmp_selinux 1.0;

require {
        type dirsrv_t;
        type kernel_t;
        type dirsrv_tmpfs_t;
        type dirsrv_var_run_t;
        type dirsrv_snmp_t;
        class file map;
        class dir write;
        class file { create map write };
        class dir add_name;
        class capability dac_override;
        class system module_request;
}

#============= dirsrv_snmp_t ==============

allow dirsrv_snmp_t dirsrv_var_run_t:dir write;
allow dirsrv_snmp_t dirsrv_var_run_t:dir add_name;
allow dirsrv_snmp_t dirsrv_var_run_t:file map;
allow dirsrv_snmp_t dirsrv_var_run_t:file create;
allow dirsrv_snmp_t dirsrv_var_run_t:file { create map };
allow dirsrv_snmp_t dirsrv_var_run_t:file write;
allow dirsrv_snmp_t self:capability dac_override;
allow dirsrv_t kernel_t:system module_request;

EOF

checkmodule -M -m -o ~/rhds_snmp_selinux.mod ~/rhds_snmp_selinux.te
semodule_package -o ~/rhds_snmp_selinux.pp -m ~/rhds_snmp_selinux.mod
semodule -i ~/rhds_snmp_selinux.pp


systemctl start dirsrv-snmp
[root@m1 ~]#

ps ax | egrep "snmp|agent|dirsrv"
   1351 ?        Ssl    0:19 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-m1 -i /run/dirsrv/slapd-m1.pid
  35799 ?        Ss     0:04 /usr/sbin/snmpd -LS0-6d -f
  65752 ?        S      0:00 /usr/sbin/ldap-agent /etc/dirsrv/config/ldap-agent.conf
[root@m1 ~]#


snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB | grep -i rhds
HOST-RESOURCES-MIB::hrSWRunParameters.66350 = STRING: "--color=auto -i rhds"

snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB .1.3.6.1.4.1.2312.6 | less
RHDS-MIB::dsAnonymousBinds.389 = Counter64: 0
RHDS-MIB::dsUnAuthBinds.389 = Counter64: 0
...snip...

Comment 2 Viktor Ashirov 2024-04-10 17:17:29 UTC

The issue is caused by https://github.com/389ds/389-ds-base/commit/9a6cfddee12a591b0563a400f46c6e6b72a94500
In RHEL9/RHDS12 it was fixed in the selinux-policy https://bugzilla.redhat.com/show_bug.cgi?id=2042515, https://github.com/fedora-selinux/selinux-policy/commit/8479a8400fe1b7583814356e74e9cf1c35da1dd9

We need the same change for RHEL8.

> allow dirsrv_snmp_t self:capability dac_override;

We should not allow this, rather it should be put in dontaudit, see https://danwalsh.livejournal.com/80232.html

Comment 3 Milos Malik 2024-04-26 14:35:54 UTC

The dac_override SELinux denials usually indicate that there is a problem with UNIX ownership or UNIX permissions. More information can be found at:
 * https://lukas-vrabec.com/index.php/2018/07/03/why-do-you-see-dac_override-selinux-denials/
 * https://danwalsh.livejournal.com/80232.html

In order to properly solve the problem, more detailed SELinux denials are needed. You can get them after enabling the full auditing:
 * https://lukas-vrabec.com/index.php/2018/07/16/how-to-enable-full-auditing-in-audit-daemon/

Comment 4 Pierre Rogier 2024-04-26 15:35:42 UTC

Indeed, and in fact the ldap-agent is only acceding a few files in /run/dirsrv
Checking the permissions shows that /run/dirsrv is 770 dirsrv dirsrv
while ldap-agent started by snmp service is root root 
and that is why we are getting the dac_override message
Simply changing the group ownership of /run/dirsrv to root  (i.e: /run/dirsrv is 770 dirsrv root)
 should allow that both the ns-slpad and the ldap-agent process have the permission to read and create files in this directory
 without needing any extra capabilities.
In short we have to fix dscreate to set the proper ownership when generating the /etc/tmpfiles.d/dirsrv-*.conf file  
  See https://bugzilla.redhat.com/show_bug.cgi?id=2276933)

Comment 5 Pierre Rogier 2024-04-26 15:37:57 UTC

( Created upstream ticket: https://github.com/389ds/389-ds-base/issues/6155 )

Comment 6 Jerone Young 2024-05-24 18:17:34 UTC

This issue is also affecting RHEL 9 & RHDS 12.3.

Same resolution, compile custom selinux policy to have:
     allow dirsrv_snmp_t self:capability dac_override;

Comment 7 Viktor Ashirov 2024-06-26 13:52:50 UTC

This BZ has been automatically migrated to Red Hat Issue Tracker https://issues.redhat.com/browse/DIRSRV-45. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.