Bug 2151378

Summary: Selinux prevents squid from binding snmp ports
Product: Red Hat Enterprise Linux 9 Reporter: icesalov
Component: selinux-policyAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: lvrabec, mmalik, tkorbar, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.13-1.el9 Doc Type: Bug Fix
Doc Text:
Cause: Missing rule in the SELinux policy denies squid to provide statistics through snmp protocol. Consequence: Squid is not able to provide statistics through snmp protocol. Fix: Add tunable to allow squid bind snmp port. This change allows squid to bind standard snmp ports. Result: Squid is able to provide statistics through snmp protocol
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:52:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2023-05-16   

Description icesalov 2022-12-06 22:03:49 UTC 
Description of problem:

/CoreOS/squid/Regression/bz1198778-snmp-fd-leaks is failing on RHEL-9.2

Version-Release number of selected component (if applicable):
squid-5.5-5.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1.run test /CoreOS/squid/Regression/bz1198778-snmp-fd-leaks

2.
3.

Actual results:
:: [ 17:23:08 ] :: [  BEGIN   ] :: Running 'snmpwalk -v2c -c public localhost:10161 .1.3.6.1.4.1.3495.1.1.1.0'
Timeout: No Response from localhost:10161
:: [ 17:23:14 ] :: [   FAIL   ] :: Command 'snmpwalk -v2c -c public localhost:10161 .1.3.6.1.4.1.3495.1.1.1.0' (Expected 0, got 1)


Expected results:
test pass

Additional info:
Comment 5 Milos Malik 2023-04-26 13:05:32 UTC 
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(04/26/2023 09:03:49.760:508) : proctitle=(squid-coord-9) --kid squid-coord-9 --foreground -f /etc/squid/squid.conf 
type=SOCKADDR msg=audit(04/26/2023 09:03:49.760:508) : saddr={ saddr_fam=inet6 laddr=:: lport=10161 } 
type=SYSCALL msg=audit(04/26/2023 09:03:49.760:508) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xd a1=0x558e67dacdd0 a2=0x1c a3=0x7ffcac656494 items=0 ppid=27615 pid=27617 auid=unset uid=squid gid=squid euid=root suid=root fsuid=root egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=squid exe=/usr/sbin/squid subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(04/26/2023 09:03:49.760:508) : avc:  denied  { name_bind } for  pid=27617 comm=squid src=10161 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:snmp_port_t:s0 tclass=udp_socket permissive=0 
----

# rpm -qa selinux\* squid\* net-snmp\* | sort
net-snmp-5.9.1-9.el9.x86_64
net-snmp-agent-libs-5.9.1-9.el9.x86_64
net-snmp-libs-5.9.1-9.el9.x86_64
net-snmp-utils-5.9.1-9.el9.x86_64
selinux-policy-38.1.12-1.el9.noarch
selinux-policy-devel-38.1.12-1.el9.noarch
selinux-policy-targeted-38.1.12-1.el9.noarch
squid-5.5-5.el9.x86_64
#
Comment 18 errata-xmlrpc 2023-11-07 08:52:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617