Bug 461326

Summary: SELinux is preventing snmpd (snmpd_t) "read" to pipe (crond_t)
Product: Red Hat Enterprise Linux 5 Reporter: Rich Johnson <richard.johnson>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2CC: andriusb, bandan.das, cward, dwalsh, jparadis, jsafrane, mkoci, mmalik, robert.evans, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 21:30:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 432518    

Description Rich Johnson 2008-09-05 21:46:55 UTC 
Description of problem:
  SELinux is preventing snmpd (snmpd_t) "read" to pipe (crond_t) as daemon is restarted during nightly logrotate.


Version-Release number of selected component (if applicable):
  net-snmp & libs: 5.3.1-24.el5_2.1
  selinux-policy-targeted: 2.4.6-137.1.el5_2

How reproducible:


Steps to Reproduce:
1. Enable snmpd logging by creating the file /etc/snmp/snmpd.options with the following content.  (By default snmpd does not write a log file):
  OPTIONS="-Lsd -Lf /var/log/snmpd.log -p /var/run/snmpd.pid -a"

2. Enable and start the snmpd service.  (By default snmpd is not enabled):
  # chkconfig snmpd on
  # service snmpd start

3.(optional for debugging) Add this line to /etc/crontab so that logs are rotated every 5 minutes for debugging purposes:
  */5 * * * * root /usr/bin/logrotate -f /etc/logrotate.conf

  
Actual results:
  AVC denial:
     SELinux is preventing snmpd (snmpd_t) "read" to pipe (crond_t)

Expected results:
  no AVC denials;


Additional info:
Comment 1 Rich Johnson 2008-09-06 17:15:20 UTC 
Another anomoly:
 -  snmpd starts up with context  system_u:system_r:snmpd_t  when system boots.
 -  after the logrotate it's running with context user_u:system_r:snmpd_t

I haven't seen any ill effects, but it's odd to see maintenance operations  changing process contexts.
Comment 2 Andrius Benokraitis 2008-09-09 21:43:35 UTC 
Not sure if the component is net-snmp or selinux-policy-targeted but will go with the latter...
Comment 5 Daniel Walsh 2008-09-11 17:56:21 UTC 
Fixed in selinux-policy-2.4.6-155.el5
Comment 11 errata-xmlrpc 2009-01-20 21:30:40 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html