Bug 523773

Summary: SELinux prevents snmpd from listening on agentx_port_t sockets
Product: Red Hat Enterprise Linux 5 Reporter: Nathan Kinder <nkinder>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: dwalsh, mmalik, shaines
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 523516 Environment:
Last Closed: 2010-03-30 07:50:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 523516    
Bug Blocks:    

Description Nathan Kinder 2009-09-16 16:10:17 UTC 
+++ This bug was initially created as a clone of Bug #523516 +++

If you configure snmpd to listen on tcp or udp for agentx subagents, an AVC similar to the following occurs:

type=AVC msg=audit(1253041370.420:31047): avc:  denied  { name_bind } for  pid=4153 comm="snmpd" src=705 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1253041370.420:31047): arch=c000003e syscall=49 success=no exit=-2037915688 a0=7 a1=7fffd27cbfc0 a2=10 a3=7fffd27cbf8c items=0 ppid=1 pid=4153 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="snmpd" exe="/usr/sbin/snmpd" subj=unconfined_u:system_r:snmpd_t:s0 key=(null)

The snmpd daemon needs to be able to listen on the agentx port.  The seems that the following should be added to snmp.te:

corenet_tcp_bind_agentx_port(snmpd_t)
corenet_udp_bind_agentx_port(snmpd_t)

--- Additional comment from dwalsh on 2009-09-15 15:34:36 EDT ---

If you say it is legitimate, it is good enough for me.

Miroslav add these lines.

--- Additional comment from nkinder on 2009-09-15 19:33:10 EDT ---

One other thing that I just noticed is that snmptrapd is not allowed to communicate over agentx using a unix domain socket.  We need to add the following in addition to the macros I mentioned above:

    snmp_stream_connect(snmpd_t)

Note that this requires this macro to be available, which it is not on certain Fedora versions.  This would require bug 478629 to be addressed.

--- Additional comment from mgrepl on 2009-09-16 08:40:42 EDT ---

Fixed in selinux-policy-3.6.12-83.fc11.noarch
Comment 1 Daniel Walsh 2009-09-16 16:25:07 UTC 
Fixed in selinux-policy-2.4.6-258.el5
Comment 2 Scott Haines 2009-09-16 17:03:58 UTC 
Providing pm_ack.
Comment 9 errata-xmlrpc 2010-03-30 07:50:11 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html