Bug 814091

Summary: fence-agents are unable to run snmpwalk/snmpget
Product: Red Hat Enterprise Linux 6 Reporter: Marek Grac <mgrac>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: dwalsh, ebenes, jsafrane, ksrot, mmalik, mtruneck, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-154.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:33:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Cluster.conf
none
Cluster.conf
none
AVCs logged during automated test none

Description Marek Grac 2012-04-19 08:27:56 UTC 
Fence agents in Red Hat Cluster Suite (package fence-agents) can use several different methods on how they connect to fencing devices. Using telnet/ssh works correctly under SELinux but some of the agents use SNMP - utilities snmpwalk/snmpget/snmpset. Please alllow fence agents to run these utilities.

type=AVC msg=audit(1334241627.944:249): avc:  denied  { write } for  pid=5144 comm="snmpwalk" name="lib" dev=dm-0 ino=1835010 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1334241628.249:250): avc:  denied  { write } for  pid=5145 comm="snmpget" name="lib" dev=dm-0 ino=1835010 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1334241628.402:251): avc:  denied  { write } for  pid=5146 comm="snmpset" name="lib" dev=dm-0 ino=1835010 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1334241628.631:252): avc:  denied  { write } for  pid=5147 comm="snmpget" name="lib" dev=dm-0 ino=1835010 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1334241628.772:253): avc:  denied  { write } for  pid=5148 comm="snmpset" name="lib" dev=dm-0 ino=1835010 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1334241629.009:254): avc:  denied  { write } for  pid=5149 comm="snmpget" name="lib" dev=dm-0 ino=1835010 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
Comment 1 Daniel Walsh 2012-04-19 18:25:26 UTC 
What content/directory are they trying to write in /var/lib?
Comment 2 Miroslav Grepl 2012-04-20 06:26:09 UTC 
Also could you re-test it with

# echo "-w /etc/shadow -p w" >> /etc/audit/audit.rules
# service auditd restart
# semanage permissive -a fenced_t

and then attach AVC msgs.
Comment 3 Marek Grac 2012-04-23 14:34:14 UTC 
reproducer:
2-node cluster
instructions as in comment #2 on node#1
on node#2; killall -9 corosync

node#1 will automatically run fencing of the other node and fence_apc_snmp will be running in correct context


commands executed from fence_apc_snmp:
---

/usr/bin/snmpwalk -m '' -Oeqn  -v '1' -c 'private' 'XXX:161' '.1.3.6.1.2.1.1.2.0'
.1.3.6.1.2.1.1.2.0 .1.3.6.1.4.1.318.1.3.4.5

Trying APC rPDU
/usr/bin/snmpget -m '' -Oeqn  -v '1' -c 'private' 'XXX:161' '.1.3.6.1.4.1.318.1.1.12.3.5.1.1.4.2'
.1.3.6.1.4.1.318.1.1.12.3.5.1.1.4.2 2

/usr/bin/snmpset -m '' -Oeqn  -v '1' -c 'private' 'XXX:161' '.1.3.6.1.4.1.318.1.1.12.3.3.1.1.4.2' i '1'
.1.3.6.1.4.1.318.1.1.12.3.3.1.1.4.2 1

/usr/bin/snmpget -m '' -Oeqn  -v '1' -c 'private' 'XXX:161' '.1.3.6.1.4.1.318.1.1.12.3.5.1.1.4.2'
.1.3.6.1.4.1.318.1.1.12.3.5.1.1.4.2 1

----
obtained AVC messages:

type=AVC msg=audit(1335191180.860:77): avc:  denied  { read } for  pid=2254 comm="fence_apc_snmp" name="pyconfig-64.h" dev="vda2" ino=131302 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1335191180.860:77): avc:  denied  { open } for  pid=2254 comm="fence_apc_snmp" name="pyconfig-64.h" dev="vda2" ino=131302 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1335191180.860:78): avc:  denied  { getattr } for  pid=2254 comm="fence_apc_snmp" path="/usr/include/python2.7/pyconfig-64.h" dev="vda2" ino=131302 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1335191180.864:79): avc:  denied  { search } for  pid=2254 comm="fence_apc_snmp" name=".local" dev="vda2" ino=16008 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
type=AVC msg=audit(1335191180.882:80): avc:  denied  { open } for  pid=2254 comm="fence_apc_snmp" name="1" dev="devpts" ino=4 scontext=system_u:system_r:fenced_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1335191180.891:81): avc:  denied  { read } for  pid=2255 comm="snmpwalk" name="cert_indexes" dev="vda2" ino=15735 scontext=system_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1335191180.891:82): avc:  denied  { read } for  pid=2255 comm="snmpwalk" name="0" dev="vda2" ino=18257 scontext=system_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1335191180.891:82): avc:  denied  { open } for  pid=2255 comm="snmpwalk" name="0" dev="vda2" ino=18257 scontext=system_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1335191180.892:83): avc:  denied  { getattr } for  pid=2255 comm="snmpwalk" path="/var/lib/net-snmp/mib_indexes/0" dev="vda2" ino=18257 scontext=system_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Comment 4 Miroslav Grepl 2012-04-24 08:18:35 UTC 
I am adding fixes. The problem is 


/var/lib/net-snmp

is mislabeled.

$ restorecon -R -v /var/lib/net-snmp

how did you create this directory?
Comment 10 Marek Grac 2012-05-17 09:23:16 UTC 
Unit test [need 2 computers A,B; each step has to be performed on both nodes]

1. install "basic server"
2a. yum install ricci rgmanager
2b. rpm -Uvh selinux-policy selinux-policy-targeted (latest version)
3. add A,B to /etc/hosts; set /etc/hosts.conf to 'Order hosts,bind'
   3.a -> ping A, ping B; host A, host B = should work on both nodes
4. create cluster.conf (only two nodes and fence_apc_snmp as fence device; nodes do not need to be connected to that device at all)
5. (approx same time at both nodes) setenforce 0; /etc/init.d/iptables stop; /etc/init.d/cman start
    5.a -> clustat = you should see cluster now

6. on node A: killall -9 corosync
7. on node B: copy AVC from /var/log/auditd/audit.log
Comment 11 Marek Grac 2012-05-17 09:31:29 UTC 
Results:

type=AVC msg=audit(1337245966.458:36): avc:  denied  { read } for  pid=2154 comm="snmpwalk" name="0" dev=dm-0 ino=142597 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1337245966.458:36): avc:  denied  { open } for  pid=2154 comm="snmpwalk" name="0" dev=dm-0 ino=142597 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1337245966.459:37): avc:  denied  { getattr } for  pid=2154 comm="snmpwalk" path="/var/lib/net-snmp/mib_indexes/0" dev=dm-0 ino=142597 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

--

Directory /var/lib/net-snmp is not created during installation. 

Running:
restorecon -R -v /var/lib/net-snmp
reboot
run cluster again (steps 5+)

There are not AVC messages
Comment 12 Milos Malik 2012-05-17 10:34:02 UTC 
That's interesting. The directory is definitely created on my machine during the installation of net-snmp package which owns the directory. And the directory is labelled correctly.

# ls -lR /var/lib/net-snmp/
/var/lib/net-snmp/:
total 12
drwx------. 2 root root 4096 Mar 22 14:10 mib_indexes
-rw-------. 1 root root 1149 May 12 13:31 snmpd.conf
-rw-------. 1 root root  681 May 10 20:26 snmptrapd.conf

/var/lib/net-snmp/mib_indexes:
total 4
-rw-r--r--. 1 root root 2476 May 10 22:43 0
# rm -rf /var/lib/net-snmp/
# yum reinstall net-snmp
Loaded plugins: product-id, refresh-packagekit, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Reinstall Process
Resolving Dependencies
--> Running transaction check
---> Package net-snmp.x86_64 1:5.5-40.el6 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package         Arch          Version             Repository              Size
================================================================================
Reinstalling:
 net-snmp        x86_64        1:5.5-40.el6        RHEL-6.3-Server        301 k

Transaction Summary
================================================================================
Reinstall     1 Package(s)

Total download size: 301 k
Installed size: 816 k
Is this ok [y/N]: y
Downloading Packages:
net-snmp-5.5-40.el6.x86_64.rpm                           | 301 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 1:net-snmp-5.5-40.el6.x86_64                                 1/1 
Installed products updated.
  Verifying  : 1:net-snmp-5.5-40.el6.x86_64                                 1/1 

Installed:
  net-snmp.x86_64 1:5.5-40.el6                                                  

Complete!
# ls -lR /var/lib/net-snmp/
/var/lib/net-snmp/:
total 0
# ls -dZ /var/lib/net-snmp/
drwxr-xr-x. root root system_u:object_r:snmpd_var_lib_t:SystemLow /var/lib/net-snmp/
#
Comment 13 Marek Grac 2012-05-17 10:44:45 UTC 
I don't have package net-snmp installed. Relevant installed packages: net-snmp-libs a net-snmp-utils
Comment 14 Miroslav Grepl 2012-05-17 10:56:11 UTC 
So if you remove this directory and run your scenario then the directory exists, right?
Comment 15 Marek Grac 2012-05-17 11:04:29 UTC 
Yes, directory is created during fence action.
Comment 16 Jan Safranek 2012-05-17 11:46:50 UTC 
Net-SNMP maintainer here.

I am not sure I understand the problem correctly, but /var/lib/net-snmp is created by net-snmp package. If someone uses only net-snmp-libs + net-snmp-utils, it is not created during package installation. If snmpwalk then reads MIB files, it creates the directory (probably with wrong selinux context). Is this the problem you see here?

As a solution, I might move the directory from net-snmp to net-snmp-libs.
Comment 17 Milos Malik 2012-05-17 11:58:18 UTC 
(In reply to comment #16)
 
> As a solution, I might move the directory from net-snmp to net-snmp-libs.

That would be great.
Comment 18 Miroslav Grepl 2012-05-17 12:22:34 UTC 
Yes, I like this solution.
Comment 19 Miroslav Grepl 2012-05-17 12:29:56 UTC 
Any chance to get it to RHEL6.3?

Or do we need to find out how the directory is exactly created?
Comment 22 Karel Srot 2012-05-18 10:43:20 UTC 
/var/lib/net-snmp is moved to net-snmp-libs in net-snmp-5.5-41.el6.
Comment 24 Marek Grac 2012-05-21 10:58:22 UTC 
Created attachment 585780 [details]
Cluster.conf

Yours cluster.conf did not contain relation between fencing device and nodes. Valid cluster.conf is in attachement
Comment 25 Marek Grac 2012-05-21 11:00:29 UTC 
Created attachment 585781 [details]
Cluster.conf

Yours cluster.conf did not contain relation between fencing device and nodes. Valid cluster.conf is in attachement
Comment 26 Michal Trunecka 2012-05-22 09:09:17 UTC 
Created attachment 585972 [details]
AVCs logged during automated test

We have created automated test performing the steps described above and with installed net-snmp-utils-5.5-41, AVCs stored in attachement appeared during the test. (in ENFORCING mode)
Comment 27 Miroslav Grepl 2012-05-22 09:16:01 UTC 
(In reply to comment #26)
> Created attachment 585972 [details]
> AVCs logged during automated test
> 
> We have created automated test performing the steps described above and with
> installed net-snmp-utils-5.5-41, AVCs stored in attachement appeared during
> the test. (in ENFORCING mode)

If you get AVC msgs in enforcing mode, I need to see also AVC msgs in permissive mode. Thank you.
Comment 28 Michal Trunecka 2012-05-22 09:18:45 UTC 
Only these AVCs showed up in Permisive mode (the test might be affected by the first run):

----
time->Tue May 22 05:06:48 2012
type=SYSCALL msg=audit(1337677608.211:80): arch=c000003e syscall=2 success=yes exit=3 a0=92a0a0 a1=90800 a2=7f2122e62320 a3=0 items=0 ppid=10565 pid=10568 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ccs_config_dump" exe="/usr/sbin/ccs_config_dump" subj=unconfined_u:system_r:corosync_t:s0 key=(null)
type=AVC msg=audit(1337677608.211:80): avc:  denied  { read } for  pid=10568 comm="ccs_config_dump" name="tmp.2GOG8ZUirf" dev=dm-0 ino=1572892 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir
----
time->Tue May 22 05:07:40 2012
type=SYSCALL msg=audit(1337677660.802:81): arch=c000003e syscall=2 success=yes exit=4 a0=7fffeb17ca30 a1=241 a2=1b6 a3=0 items=0 ppid=10891 pid=10892 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="snmpwalk" exe="/usr/bin/snmpwalk" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1337677660.802:81): avc:  denied  { write } for  pid=10892 comm="snmpwalk" name="0" dev=dm-0 ino=2502037 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1337677660.802:81): avc:  denied  { create } for  pid=10892 comm="snmpwalk" name="0" scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
Comment 29 Michal Trunecka 2012-05-22 09:38:20 UTC 
Sorry, I found most of them was caused by changing to temp directory. So now in Enforcing:

----
time->Tue May 22 05:32:16 2012
type=SYSCALL msg=audit(1337679136.561:133): arch=40000003 syscall=5 success=no exit=-13 a0=bf8c4490 a1=8241 a2=1b6 a3=8db7a0 items=0 ppid=17623 pid=17624 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="snmpwalk" exe="/usr/bin/snmpwalk" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1337679136.561:133): avc:  denied  { create } for  pid=17624 comm="snmpwalk" name="0" scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Tue May 22 05:32:16 2012
type=SYSCALL msg=audit(1337679136.920:134): arch=40000003 syscall=5 success=no exit=-13 a0=bfc017c0 a1=8241 a2=1b6 a3=31e7a0 items=0 ppid=17623 pid=17625 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="snmpget" exe="/usr/bin/snmpget" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1337679136.920:134): avc:  denied  { create } for  pid=17625 comm="snmpget" name="0" scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Tue May 22 05:32:17 2012
type=SYSCALL msg=audit(1337679137.154:135): arch=40000003 syscall=5 success=no exit=-13 a0=bfa77790 a1=8241 a2=1b6 a3=1a77a0 items=0 ppid=17623 pid=17626 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="snmpset" exe="/usr/bin/snmpset" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1337679137.154:135): avc:  denied  { create } for  pid=17626 comm="snmpset" name="0" scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Tue May 22 05:32:17 2012
type=SYSCALL msg=audit(1337679137.474:136): arch=40000003 syscall=5 success=no exit=-13 a0=bfaaa3e0 a1=8241 a2=1b6 a3=b007a0 items=0 ppid=17623 pid=17627 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="snmpget" exe="/usr/bin/snmpget" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1337679137.474:136): avc:  denied  { create } for  pid=17627 comm="snmpget" name="0" scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Tue May 22 05:32:17 2012
type=SYSCALL msg=audit(1337679137.704:137): arch=40000003 syscall=5 success=no exit=-13 a0=bfd5cab0 a1=8241 a2=1b6 a3=8667a0 items=0 ppid=17623 pid=17628 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="snmpset" exe="/usr/bin/snmpset" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1337679137.704:137): avc:  denied  { create } for  pid=17628 comm="snmpset" name="0" scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Tue May 22 05:32:18 2012
type=SYSCALL msg=audit(1337679138.036:138): arch=40000003 syscall=5 success=no exit=-13 a0=bfdc4020 a1=8241 a2=1b6 a3=1ed7a0 items=0 ppid=17623 pid=17629 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="snmpget" exe="/usr/bin/snmpget" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1337679138.036:138): avc:  denied  { create } for  pid=17629 comm="snmpget" name="0" scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file



And in Permisive:

time->Tue May 22 05:34:57 2012
type=SYSCALL msg=audit(1337679297.857:140): arch=40000003 syscall=5 success=yes exit=4 a0=bff3c1c0 a1=8241 a2=1b6 a3=48b7a0 items=0 ppid=18180 pid=18181 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=11 comm="snmpwalk" exe="/usr/bin/snmpwalk" subj=unconfined_u:system_r:fenced_t:s0 key=(null)
type=AVC msg=audit(1337679297.857:140): avc:  denied  { write } for  pid=18181 comm="snmpwalk" name="0" dev=dm-0 ino=1856783 scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1337679297.857:140): avc:  denied  { create } for  pid=18181 comm="snmpwalk" name="0" scontext=unconfined_u:system_r:fenced_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
Comment 30 Miroslav Grepl 2012-05-22 09:40:58 UTC 
Ok, I am adding fixes.
Comment 34 errata-xmlrpc 2012-06-20 12:33:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html