| Summary: | Snmpd is denied access to the directory dev_snmp6 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Göran Uddeborg <goeran> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dwalsh, neil, silfreed |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.10.0-71.fc16 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-01-11 06:17:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Looks like this is fixed in selinux-policy-3.10.0-69.fc16 Fixed in selinux-policy-3.10.0-69.fc16? But that is the one I am using. The policy was one of the packages I upgraded, when this started to happen. (net-snmp was another one.) This error message started appearing on my systems running snmpd following an selinux policy updates:
selinux-policy.noarch 0:3.10.0-69.fc16
selinux-policy-targeted.noarch 0:3.10.0-69.fc16
That was done at 1:13 am 31 Dec 2011 (+10 UTC).
Dec 31 01:12:38 vpn yum[22133]: Updated: xulrunner-9.0.1-1.fc16.x86_64
Dec 31 01:13:00 vpn yum[22133]: Updated: selinux-policy-3.10.0-69.fc16.noarch
Dec 31 01:13:43 vpn dbus[13079]: avc: received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus[848]: avc: received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus[1921]: avc: received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus[1922]: avc: received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus[848]: [system] Reloaded configuration
Dec 31 01:13:43 vpn dbus-daemon[848]: dbus[848]: avc: received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus-daemon[848]: dbus[848]: [system] Reloaded configuration
Dec 31 01:13:45 vpn yum[22133]: Updated: selinux-policy-targeted-3.10.0-69.fc16.noarch
Dec 31 01:13:49 vpn yum[22133]: Updated: firefox-9.0.1-1.fc16.x86_64
Dec 31 01:14:06 vpn setroubleshoot: Deleting alert d8292dce-1db6-4425-960a-d82a741a0425, it is allowed in current policy
Dec 31 01:14:07 vpn setroubleshoot: SELinux is preventing /usr/sbin/snmpd from read access on the directory dev_snmp6. For complete SELinux messages. run sealert -l 308fcc56-c752-4bc2-8778-fabf40020b30
sealert -l 308fcc56-c752-4bc2-8778-fabf40020b30
SELinux is preventing /usr/sbin/snmpd from read access on the directory dev_snmp6.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that snmpd should be allowed read access on the dev_snmp6 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep snmpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Dec 31 03:06:07 vpn setroubleshoot: SELinux is preventing /usr/sbin/snmpd from read access on the directory dev_snmp6. For complete SELinux messages. run sealert -l 308fcc56-c752-4bc2-8778-fabf40020b30
Running the suggested commands creates the .te file
[root@vpn ~]# cat dev_snmp6.te
module dev_snmp6 1.0;
require {
type snmpd_t;
type proc_net_t;
class dir read;
}
#============= snmpd_t ==============
allow snmpd_t proc_net_t:dir read;
My initial impressions is that as all the servers in my DMZ configured with IPV6 and SNMP hvave been affected, the snmpd was not previously accessing the IPV6 information or that this change was done and tested on an IPV4 only system.
Fixed in selinux-policy-3.10.0-70.fc16 selinux-policy-3.10.0-71.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-71.fc16 Package selinux-policy-3.10.0-71.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-71.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0154/selinux-policy-3.10.0-71.fc16 then log in and leave karma (feedback). selinux-policy-3.10.0-71.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: After a recent upgrade, I started to get warnings from setroubleshoot that snmpd tried to read a directory dev_snmp6 in the /proc filesystem, but was denied. This seems to be a directory that exists for each process, and contains information about the various network interfaces. From the name of directory, I suspect it would make sense for the SNMP daemon to be able to read it, why I assign this bug to selinux-policy and not net-snmp. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-69.fc16.noarch net-snmp-5.7.1-2.fc16.x86_64 How reproducible: Every time Steps to Reproduce: 1. Install the above packages 2. Start the snmpd daemon Actual results: This AVC: type=AVC msg=audit(1325023495.690:79): avc: denied { read } for pid=887 comm="snmpd" name="dev_snmp6" dev=proc ino=4026532108 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir