Bug 231130
| Summary: | snmpwalk triggers some unexpected access denied | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Peter Bieringer <pb> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-06-21 13:22:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Forgot to specify version: selinux-policy-targeted-1.17.30-2.141 (regardless permissive or enforced mode) FC5 also adds: allow snmpd_t sendmail_log_t:dir search; allow snmpd_t self:netlink_route_socket create; allow snmpd_t self:udp_socket connect; allow snmpd_t var_spool_t:dir search; I'm running in enforcing mode so their could well be more, as snmpd stopped responding after trying to read the netlink route socket. sealert -l a8cf7b04-93fb-49a5-abbd-97db1cfa786e
Summary
SELinux is preventing /usr/sbin/snmpd (snmpd_t) "create" access to <Unknown>
(snmpd_t).
Detailed Description
SELinux denied access requested by /usr/sbin/snmpd. It is not expected that
this access is required by /usr/sbin/snmpd and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown>. There is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
disable SELinux protection entirely for the application. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Changing the "snmpd_disable_trans" boolean to true will disable SELinux
protection this application: "setsebool -P snmpd_disable_trans=1."
The following command will allow this access:
setsebool -P snmpd_disable_trans=1
Additional Information:
Source Context: user_u:system_r:snmpd_t:s0
Target Context: user_u:system_r:snmpd_t:s0
Target Objects: None [ netlink_route_socket ]
Affected RPM Packages: net-snmp-5.3.1-14.fc6 [application]
Policy RPM: selinux-policy-2.4.6-54.fc6
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.disable_trans
Host Name: aix.gdt.id.au
Platform: Linux aix.gdt.id.au 2.6.20-1.2944.fc6 #1 SMP Tue
Apr 10 18:46:45 EDT 2007 i686 i686
Alert Count: 23
Line Numbers:
Raw Audit Messages:
avc: denied { create } for comm="snmpd" egid=0 euid=0 exe="/usr/sbin/snmpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=25386
scontext=user_u:system_r:snmpd_t:s0 sgid=0 subj=user_u:system_r:snmpd_t:s0
suid=0 tclass=netlink_route_socket tcontext=user_u:system_r:snmpd_t:s0
tty=(none) uid=0
Please do not combine bugs for different versions and different OS. RHEL4, FC5 and FC6 bugs can not be combined. |
Description of problem: Running snmpwalk against an SELinux enabled system triggers some unexpected access denied messages. Version-Release number of selected component (if applicable): How reproducible: on each snmpwak Steps to Reproduce: 1. enable SNMP 2. run snmpwalk -v 1 -c public localhost Actual results: Mar 2 13:47:01 system audit(1172839621.508:6): avc: denied { read write } for pid=23865 comm="snmpd" name="utmp" dev=md1 ino=400807 scontext=system_u:system_r:snmpd_t tcontext=user_u:object_r:var_run_t tclas s=file Mar 2 13:47:01 system audit(1172839621.508:7): avc: denied { lock } for pid=23865 comm="snmpd" name="utmp" dev=md1 ino=400807 scontext=system_u:system_r:snmpd_t tcontext=user_u:object_r:var_run_t tclass=file Mar 2 13:47:01 system audit(1172839621.515:8): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=usbfs ino=1345 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir Mar 2 13:47:01 system audit(1172839621.515:9): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=selinuxfs ino=184 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:security_t tclas s=dir Mar 2 13:47:01 system audit(1172839621.557:10): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=md0 ino=2 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir Mar 2 13:47:01 system audit(1172839621.559:11): avc: denied { search } for pid=23865 comm="snmpd" name="www" dev=md1 ino=18053 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:httpd_sys_content_ t tclass=dir Mar 2 13:47:01 system audit(1172839621.559:12): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=md3 ino=2 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:httpd_sys_content_t tcl ass=dir Mar 2 13:47:01 system audit(1172839621.561:13): avc: denied { search } for pid=23865 comm="snmpd" name="mnt" dev=md1 ino=432865 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:mnt_t tclass=dir Mar 2 13:47:01 system audit(1172839621.561:14): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=md4 ino=2 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:mnt_t tclass=dir Mar 2 13:47:01 system audit(1172839621.563:15): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=md7 ino=2 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:tmp_t tclass=dir Mar 2 13:47:01 system audit(1172839621.565:16): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=md8 ino=2 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:mail_spool_t tclass=dir Mar 2 13:47:01 system audit(1172839621.567:17): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=md5 ino=2 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:home_root_t tclass=dir Mar 2 13:47:01 system audit(1172839621.569:18): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=binfmt_misc ino=5826 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:binfmt_misc_ fs_t tclass=dir Mar 2 13:47:01 system audit(1172839621.571:19): avc: denied { search } for pid=23865 comm="snmpd" name="named" dev=md1 ino=96660 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:named_zone_t tcl ass=dir Mar 2 13:47:01 system audit(1172839621.571:20): avc: denied { search } for pid=23865 comm="snmpd" name="chroot" dev=md1 ino=112318 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:named_conf_t t class=dir Mar 2 13:52:30 system audit(1172839950.183:21): avc: denied { read write } for pid=23865 comm="snmpd" name="utmp" dev=md1 ino=400807 scontext=system_u:system_r:snmpd_t tcontext=user_u:object_r:var_run_t tcla ss=file Mar 2 13:52:30 system audit(1172839950.183:22): avc: denied { lock } for pid=23865 comm="snmpd" name="utmp" dev=md1 ino=400807 scontext=system_u:system_r:snmpd_t tcontext=user_u:object_r:var_run_t tclass=fil e Mar 2 13:52:30 system audit(1172839950.190:23): avc: denied { getattr } for pid=23865 comm="snmpd" name="/" dev=usbfs ino=1345 scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir Expected results: No such messages Additional info: audit2allow suggest following additional rules: allow snmpd_t binfmt_misc_fs_t:dir getattr; allow snmpd_t boot_t:dir getattr; allow snmpd_t home_root_t:dir getattr; allow snmpd_t httpd_sys_content_t:dir { getattr search }; allow snmpd_t mail_spool_t:dir getattr; allow snmpd_t mnt_t:dir { getattr search }; allow snmpd_t named_conf_t:dir search; allow snmpd_t named_zone_t:dir search; allow snmpd_t security_t:dir getattr; allow snmpd_t tmp_t:dir getattr; allow snmpd_t usbfs_t:dir getattr; allow snmpd_t var_run_t:file { lock read write };