Bug 231130
Summary: | snmpwalk triggers some unexpected access denied | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Peter Bieringer <pb> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | dwalsh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-06-21 13:22:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Peter Bieringer
2007-03-06 12:35:11 UTC
Forgot to specify version: selinux-policy-targeted-1.17.30-2.141 (regardless permissive or enforced mode) FC5 also adds: allow snmpd_t sendmail_log_t:dir search; allow snmpd_t self:netlink_route_socket create; allow snmpd_t self:udp_socket connect; allow snmpd_t var_spool_t:dir search; I'm running in enforcing mode so their could well be more, as snmpd stopped responding after trying to read the netlink route socket. sealert -l a8cf7b04-93fb-49a5-abbd-97db1cfa786e Summary SELinux is preventing /usr/sbin/snmpd (snmpd_t) "create" access to <Unknown> (snmpd_t). Detailed Description SELinux denied access requested by /usr/sbin/snmpd. It is not expected that this access is required by /usr/sbin/snmpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown>. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "snmpd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P snmpd_disable_trans=1." The following command will allow this access: setsebool -P snmpd_disable_trans=1 Additional Information: Source Context: user_u:system_r:snmpd_t:s0 Target Context: user_u:system_r:snmpd_t:s0 Target Objects: None [ netlink_route_socket ] Affected RPM Packages: net-snmp-5.3.1-14.fc6 [application] Policy RPM: selinux-policy-2.4.6-54.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.disable_trans Host Name: aix.gdt.id.au Platform: Linux aix.gdt.id.au 2.6.20-1.2944.fc6 #1 SMP Tue Apr 10 18:46:45 EDT 2007 i686 i686 Alert Count: 23 Line Numbers: Raw Audit Messages: avc: denied { create } for comm="snmpd" egid=0 euid=0 exe="/usr/sbin/snmpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=25386 scontext=user_u:system_r:snmpd_t:s0 sgid=0 subj=user_u:system_r:snmpd_t:s0 suid=0 tclass=netlink_route_socket tcontext=user_u:system_r:snmpd_t:s0 tty=(none) uid=0 Please do not combine bugs for different versions and different OS. RHEL4, FC5 and FC6 bugs can not be combined. |