Bug 727150

Summary: selinux prevents rsyslogd to access snmpd_var_lib_t
Product: Red Hat Enterprise Linux 6 Reporter: Karel Srot <ksrot>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-106.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:10:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Srot 2011-08-01 12:48:11 UTC 
Description of problem:

rsyslog module omsnmp (send log messages as snmp traps) will be added in RHEL6.2 (bz 618488). This functionality doesn't work because selinux prevents rsyslog to acces /var/lib/net-snmp.

This is fixed with:

# cat mymod.te

module mymod 1.0;

require {
	type snmpd_var_lib_t;
	type syslogd_t;
	class dir { read getattr open search };
	class file { read getattr open };
}

#============= syslogd_t ==============
allow syslogd_t snmpd_var_lib_t:dir { read getattr open search };
allow syslogd_t snmpd_var_lib_t:file { read getattr open };


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch

How reproducible:
always

Steps to Reproduce:
ATM omsnmp.so module is not built as a part of rsyslog package. You need to udpate rsyslog SPEC file with --enable-snmp to build this module.
After reinstallation of rsyslog configure rsyslog to send snmp traps to snmptrapd.


  
Actual results:
AVC messages during rsyslog start

Expected results:
no AVC, rsyslog sents traps

Additional info:

# grep -i avc /var/log/audit/audit.log
type=AVC msg=audit(1312202141.511:42582): avc:  denied  { getattr } for  pid=11995 comm="rsyslogd" path="/var/lib/net-snmp" dev=sda4 ino=661467 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1312202141.511:42583): avc:  denied  { search } for  pid=11995 comm="rsyslogd" name="net-snmp" dev=sda4 ino=661467 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1312202141.512:42584): avc:  denied  { read } for  pid=11995 comm="rsyslogd" name="mib_indexes" dev=sda4 ino=660458 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1312202141.512:42584): avc:  denied  { open } for  pid=11995 comm="rsyslogd" name="mib_indexes" dev=sda4 ino=660458 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1312202141.512:42585): avc:  denied  { read } for  pid=11995 comm="rsyslogd" name="0" dev=sda4 ino=661355 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1312202141.512:42585): avc:  denied  { open } for  pid=11995 comm="rsyslogd" name="0" dev=sda4 ino=661355 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1312202141.512:42586): avc:  denied  { getattr } for  pid=11995 comm="rsyslogd" path="/var/lib/net-snmp/mib_indexes/0" dev=sda4 ino=661355 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
Comment 2 Miroslav Grepl 2011-08-01 13:00:53 UTC 
Karel,
good catch. Thanks.
Comment 3 Miroslav Grepl 2011-08-02 06:44:29 UTC 
Fixed in selinux-policy-3.7.19-106.el6
Comment 6 Karel Srot 2011-08-22 13:55:52 UTC 
I confirm this is fixed with selinux-policy-3.7.19-107.el6.noarch
Comment 8 errata-xmlrpc 2011-12-06 10:10:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html