Bug 2160000

Summary:	SNMP OIDs 1.3.6.1.2.1.25.3.6 (hrDiskStorageTable) and 1.3.6.1.2.1.25.3.7 (hrPartitionTable) not working with SELinux enforcing
Product:	Red Hat Enterprise Linux 8	Reporter:	Amey <abetkike>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	8.7	CC:	fkrska, hilary.palmer, lvrabec, mmalik, tmajumde
Target Milestone:	rc	Keywords:	AutoVerified, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.3-120.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	2196528 (view as bug list)		Environment:
Last Closed:	2023-11-14 15:47:42 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Amey 2023-01-11 09:56:10 UTC

Description of problem:

Following commands return empty list with SELinux targeted policy  on enforcing mode:

snmpwalk -v 1 -c public host 1.3.6.1.2.1.25.3.6
snmpwalk -v 1 -c public host 1.3.6.1.2.1.25.3.7

setenforce 0 and retry -> commands work.

Version-Release number of selected component (if applicable):


How reproducible:
- Always

Steps to Reproduce:
- Run snmpwalk on hrDiskStorageTable and hrPartitionTable

Actual results:

- empty list for OIDs 1.3.6.1.2.1.25.3.6 + 1.3.6.1.2.1.25.3.7

Expected results:

- yield value set against OIDs 1.3.6.1.2.1.25.3.6 and 1.3.6.1.2.1.25.3.7


Additional info:

Comment 1 Hil Palmer 2023-01-11 14:23:56 UTC

The following needs to be added to the SELinux rules...

allow snmpd_t fixed_disk_device_t:blk_file { getattr ioctl open read };
allow snmpd_t removable_device_t:blk_file { getattr ioctl open read };



By default these are the permissions...

allow snmpd_t fixed_disk_device_t:blk_file getattr;
allow snmpd_t removable_device_t:blk_file getattr;

Comment 2 Josef Ridky 2023-01-11 17:59:29 UTC

Moving to SELINUX engineer.

Comment 5 Milos Malik 2023-05-09 09:26:19 UTC

Caught in permissive mode after removing the dontaudit rules:
----
type=PROCTITLE msg=audit(05/09/2023 05:22:34.222:302) : proctitle=/usr/sbin/snmpd -LS0-6d -f 
type=PATH msg=audit(05/09/2023 05:22:34.222:302) : item=0 name=/dev/sda inode=65179 dev=00:06 mode=block,660 ouid=root ogid=disk rdev=08:00 obj=system_u:object_r:fixed_disk_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/09/2023 05:22:34.222:302) : cwd=/ 
type=SYSCALL msg=audit(05/09/2023 05:22:34.222:302) : arch=aarch64 syscall=openat success=yes exit=9 a0=AT_FDCWD a1=0xfffffcdb39b0 a2=O_RDONLY|O_NONBLOCK a3=0x0 items=1 ppid=1 pid=20352 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snmpd exe=/usr/sbin/snmpd subj=system_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(05/09/2023 05:22:34.222:302) : avc:  denied  { open } for  pid=20352 comm=snmpd path=/dev/sda dev="devtmpfs" ino=65179 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 
type=AVC msg=audit(05/09/2023 05:22:34.222:302) : avc:  denied  { read } for  pid=20352 comm=snmpd name=sda dev="devtmpfs" ino=65179 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 
----
type=PROCTITLE msg=audit(05/09/2023 05:22:34.222:303) : proctitle=/usr/sbin/snmpd -LS0-6d -f 
type=SYSCALL msg=audit(05/09/2023 05:22:34.222:303) : arch=aarch64 syscall=ioctl success=yes exit=0 a0=0x9 a1=0x1260 a2=0xfffffcdb39a8 a3=0x0 items=0 ppid=1 pid=20352 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snmpd exe=/usr/sbin/snmpd subj=system_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(05/09/2023 05:22:34.222:303) : avc:  denied  { ioctl } for  pid=20352 comm=snmpd path=/dev/sda dev="devtmpfs" ino=65179 ioctlcmd=0x1260 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 
----

# rpm -qa selinux\* net-snmp\* | sort
net-snmp-5.8-27.el8.aarch64
net-snmp-agent-libs-5.8-27.el8.aarch64
net-snmp-libs-5.8-27.el8.aarch64
net-snmp-utils-5.8-27.el8.aarch64
selinux-policy-3.14.3-119.el8.noarch
selinux-policy-targeted-3.14.3-119.el8.noarch
#

Comment 6 Milos Malik 2023-05-09 09:35:17 UTC

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(05/09/2023 05:26:59.694:306) : proctitle=/usr/sbin/snmpd -LS0-6d -f 
type=PATH msg=audit(05/09/2023 05:26:59.694:306) : item=0 name=/dev/sda inode=65179 dev=00:06 mode=block,660 ouid=root ogid=disk rdev=08:00 obj=system_u:object_r:fixed_disk_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/09/2023 05:26:59.694:306) : cwd=/ 
type=SYSCALL msg=audit(05/09/2023 05:26:59.694:306) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xfffffcdb3a70 a2=O_RDONLY|O_NONBLOCK a3=0x0 items=1 ppid=1 pid=20352 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snmpd exe=/usr/sbin/snmpd subj=system_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(05/09/2023 05:26:59.694:306) : avc:  denied  { read } for  pid=20352 comm=snmpd name=sda dev="devtmpfs" ino=65179 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 
----

The configuration file needed some changes to reproduce the issue:

# grep -v -e '^#' -e '^$' /etc/snmp/snmpd.conf 
com2sec notConfigUser  default       public
group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser
view    systemview    included   .1
access  notConfigGroup ""      any       noauth    exact  systemview none none
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
dontLogTCPWrappersConnects yes
disk /
includeAllDisks 10%
#

The last 2 lines of the configuration file were added. The "systemview" line was modified.

Reproducer:
# edit the /etc/snmp/snmpd.conf file
# service snmpd start
# snmpwalk -v 1 -c public localhost 1.3.6.1.2.1.25.3.6
# snmpwalk -v 1 -c public localhost 1.3.6.1.2.1.25.3.7

Comment 18 errata-xmlrpc 2023-11-14 15:47:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091