Bug 745175

Summary: selinux prevents rsyslogd to access /usr/share/snmp/mibs/.index
Product: Red Hat Enterprise Linux 5 Reporter: Karel Srot <ksrot>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: high Docs Contact:
Priority: high    
Version: 5.7CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-321.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 05:48:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Srot 2011-10-11 14:48:57 UTC 
Description of problem:

This is needed because of 
Bug 601711 - [RFE] rsyslog - omsnmp module not provided

related RHEL6 bug is 727150

I have configured rsyslog to send snmp traps and I am getting various AVCs, traps are not sent.

In enforcing I got:
type=AVC msg=audit(1318343200.153:85): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318343200.153:86): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318343200.154:87): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/usr/share/snmp/mibs/.index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1318343200.154:88): avc:  denied  { write } for  pid=25191 comm="rsyslogd" name=".index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1318343200.194:89): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318343200.194:90): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir


In permissive I got just:
type=AVC msg=audit(1318342916.306:79): avc:  denied  { getattr } for  pid=24565 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318342916.307:80): avc:  denied  { search } for  pid=24565 comm="rsyslogd" name="net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318342916.307:81): avc:  denied  { getattr } for  pid=24565 comm="rsyslogd" path="/usr/share/snmp/mibs/.index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1318342916.307:82): avc:  denied  { read } for  pid=24565 comm="rsyslogd" name=".index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=USER_AVC msg=audit(1318343188.106:84): user pid=3435 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received setenforce notice (enforcing=1) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'


I don't know why rsyslog wants the write access - probably it believes that the file is deleted and tries to re-create it. 

I have used following module (without write access) and snmp traps were properly sent:

module mymod 1.0;

require {
	type snmpd_var_lib_t;
	type syslogd_t;
	class dir { getattr search };
	class file { read write getattr };
}

#============= syslogd_t ==============
allow syslogd_t snmpd_var_lib_t:dir { getattr search };
allow syslogd_t snmpd_var_lib_t:file { read getattr };
#allow syslogd_t snmpd_var_lib_t:file { read write getattr };


Version-Release number of selected component (if applicable):
tested with selinux-policy-2.4.6-317.el5
rsyslog-snmp module has to be built manually (update specfile to built this module too)

How reproducible:
always

Steps to Reproduce:
configure rsyslog to sent snmp traps and snmptrapd to receive it 
  
Actual results:
no traps sent

Expected results:
traps are properly delivered

Additional info:
Comment 1 Miroslav Grepl 2011-10-20 14:35:18 UTC 
Fixed in selinux-policy-2.4.6-318.el5
Comment 4 Karel Srot 2011-12-02 12:04:01 UTC 
Mirek,
when running automated test today I got the write denial again.

type=SYSCALL msg=audit(1322825631.187:24): arch=40000003 syscall=5 success=no exit=-13 a0=bff1920c a1=8241 a2=1b6 a3=9431450 items=0 ppid=26267 pid=26268 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1322825631.187:24): avc:  denied  { write } for  pid=26268 comm="rsyslogd" name=".index" dev=dm-0 ino=3801430 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file

It seems that rsyslog wants to write to this file. I am not sure whether this access should be allowed or the message don't audited, though.

I was runnin -320 policy where { ioctl read getattr lock } is allowed.

Switching back to ON_QA 'till this is decided. Sorry for confusion.
Comment 5 Daniel Walsh 2011-12-02 13:23:07 UTC 
Probably should dontaudit
Comment 7 Miroslav Grepl 2011-12-15 13:19:32 UTC 
Fixed in selinux-policy-2.4.6-321.el5
Comment 9 errata-xmlrpc 2012-02-21 05:48:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html