Bug 2160000

Summary: SNMP OIDs 1.3.6.1.2.1.25.3.6 (hrDiskStorageTable) and 1.3.6.1.2.1.25.3.7 (hrPartitionTable) not working with SELinux enforcing
Product: Red Hat Enterprise Linux 8 Reporter: Amey <abetkike>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 8.7CC: fkrska, hilary.palmer, lvrabec, mmalik, tmajumde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-120.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2196528 (view as bug list) Environment:
Last Closed: 2023-11-14 15:47:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amey 2023-01-11 09:56:10 UTC
Description of problem:

Following commands return empty list with SELinux targeted policy  on enforcing mode:

snmpwalk -v 1 -c public host 1.3.6.1.2.1.25.3.6
snmpwalk -v 1 -c public host 1.3.6.1.2.1.25.3.7

setenforce 0 and retry -> commands work.

Version-Release number of selected component (if applicable):


How reproducible:
- Always

Steps to Reproduce:
- Run snmpwalk on hrDiskStorageTable and hrPartitionTable

Actual results:

- empty list for OIDs 1.3.6.1.2.1.25.3.6 + 1.3.6.1.2.1.25.3.7

Expected results:

- yield value set against OIDs 1.3.6.1.2.1.25.3.6 and 1.3.6.1.2.1.25.3.7


Additional info:

Comment 1 Hil Palmer 2023-01-11 14:23:56 UTC
The following needs to be added to the SELinux rules...

allow snmpd_t fixed_disk_device_t:blk_file { getattr ioctl open read };
allow snmpd_t removable_device_t:blk_file { getattr ioctl open read };



By default these are the permissions...

allow snmpd_t fixed_disk_device_t:blk_file getattr;
allow snmpd_t removable_device_t:blk_file getattr;

Comment 2 Josef Ridky 2023-01-11 17:59:29 UTC
Moving to SELINUX engineer.

Comment 5 Milos Malik 2023-05-09 09:26:19 UTC
Caught in permissive mode after removing the dontaudit rules:
----
type=PROCTITLE msg=audit(05/09/2023 05:22:34.222:302) : proctitle=/usr/sbin/snmpd -LS0-6d -f 
type=PATH msg=audit(05/09/2023 05:22:34.222:302) : item=0 name=/dev/sda inode=65179 dev=00:06 mode=block,660 ouid=root ogid=disk rdev=08:00 obj=system_u:object_r:fixed_disk_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/09/2023 05:22:34.222:302) : cwd=/ 
type=SYSCALL msg=audit(05/09/2023 05:22:34.222:302) : arch=aarch64 syscall=openat success=yes exit=9 a0=AT_FDCWD a1=0xfffffcdb39b0 a2=O_RDONLY|O_NONBLOCK a3=0x0 items=1 ppid=1 pid=20352 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snmpd exe=/usr/sbin/snmpd subj=system_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(05/09/2023 05:22:34.222:302) : avc:  denied  { open } for  pid=20352 comm=snmpd path=/dev/sda dev="devtmpfs" ino=65179 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 
type=AVC msg=audit(05/09/2023 05:22:34.222:302) : avc:  denied  { read } for  pid=20352 comm=snmpd name=sda dev="devtmpfs" ino=65179 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 
----
type=PROCTITLE msg=audit(05/09/2023 05:22:34.222:303) : proctitle=/usr/sbin/snmpd -LS0-6d -f 
type=SYSCALL msg=audit(05/09/2023 05:22:34.222:303) : arch=aarch64 syscall=ioctl success=yes exit=0 a0=0x9 a1=0x1260 a2=0xfffffcdb39a8 a3=0x0 items=0 ppid=1 pid=20352 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snmpd exe=/usr/sbin/snmpd subj=system_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(05/09/2023 05:22:34.222:303) : avc:  denied  { ioctl } for  pid=20352 comm=snmpd path=/dev/sda dev="devtmpfs" ino=65179 ioctlcmd=0x1260 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 
----

# rpm -qa selinux\* net-snmp\* | sort
net-snmp-5.8-27.el8.aarch64
net-snmp-agent-libs-5.8-27.el8.aarch64
net-snmp-libs-5.8-27.el8.aarch64
net-snmp-utils-5.8-27.el8.aarch64
selinux-policy-3.14.3-119.el8.noarch
selinux-policy-targeted-3.14.3-119.el8.noarch
#

Comment 6 Milos Malik 2023-05-09 09:35:17 UTC
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(05/09/2023 05:26:59.694:306) : proctitle=/usr/sbin/snmpd -LS0-6d -f 
type=PATH msg=audit(05/09/2023 05:26:59.694:306) : item=0 name=/dev/sda inode=65179 dev=00:06 mode=block,660 ouid=root ogid=disk rdev=08:00 obj=system_u:object_r:fixed_disk_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/09/2023 05:26:59.694:306) : cwd=/ 
type=SYSCALL msg=audit(05/09/2023 05:26:59.694:306) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xfffffcdb3a70 a2=O_RDONLY|O_NONBLOCK a3=0x0 items=1 ppid=1 pid=20352 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snmpd exe=/usr/sbin/snmpd subj=system_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(05/09/2023 05:26:59.694:306) : avc:  denied  { read } for  pid=20352 comm=snmpd name=sda dev="devtmpfs" ino=65179 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 
----

The configuration file needed some changes to reproduce the issue:

# grep -v -e '^#' -e '^$' /etc/snmp/snmpd.conf 
com2sec notConfigUser  default       public
group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser
view    systemview    included   .1
access  notConfigGroup ""      any       noauth    exact  systemview none none
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
dontLogTCPWrappersConnects yes
disk /
includeAllDisks 10%
#

The last 2 lines of the configuration file were added. The "systemview" line was modified.

Reproducer:
# edit the /etc/snmp/snmpd.conf file
# service snmpd start
# snmpwalk -v 1 -c public localhost 1.3.6.1.2.1.25.3.6
# snmpwalk -v 1 -c public localhost 1.3.6.1.2.1.25.3.7

Comment 18 errata-xmlrpc 2023-11-14 15:47:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091