Bug 839250
| Summary: | service amavisd-snmp restart produces AVCs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.3 | CC: | dwalsh, mtruneck, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-182.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:25:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 881827 | ||
I need to see it also in permissive mode. Here are AVCs seen in permissive mode:
----
time->Wed Jul 11 14:40:42 2012
type=SYSCALL msg=audit(1342010442.624:34814): arch=40000003 syscall=5 success=yes exit=3 a0=855f568 a1=98800 a2=b24074 a3=8540008 items=0 ppid=5399 pid=5400 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010442.624:34814): avc: denied { open } for pid=5400 comm="amavisd-snmp-su" name="active" dev=sda3 ino=8315 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1342010442.624:34814): avc: denied { read } for pid=5400 comm="amavisd-snmp-su" name="active" dev=sda3 ino=8315 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1342010442.624:34814): avc: denied { search } for pid=5400 comm="amavisd-snmp-su" name="postfix" dev=sda3 ino=8314 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
----
time->Wed Jul 11 14:40:42 2012
type=SYSCALL msg=audit(1342010442.714:34815): arch=40000003 syscall=5 success=yes exit=8 a0=bfe96c80 a1=98800 a2=9412bc a3=887a740 items=0 ppid=1 pid=5406 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010442.714:34815): avc: denied { open } for pid=5406 comm="amavisd-snmp-su" name="mib_indexes" dev=sda3 ino=25252 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1342010442.714:34815): avc: denied { read } for pid=5406 comm="amavisd-snmp-su" name="mib_indexes" dev=sda3 ino=25252 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1342010442.714:34815): avc: denied { search } for pid=5406 comm="amavisd-snmp-su" name="net-snmp" dev=sda3 ino=25240 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Wed Jul 11 14:40:42 2012
type=SYSCALL msg=audit(1342010442.728:34816): arch=40000003 syscall=5 success=yes exit=9 a0=bfe96c80 a1=8000 a2=1b6 a3=92536f items=0 ppid=1 pid=5406 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010442.728:34816): avc: denied { open } for pid=5406 comm="amavisd-snmp-su" name="0" dev=sda3 ino=20057 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1342010442.728:34816): avc: denied { read } for pid=5406 comm="amavisd-snmp-su" name="0" dev=sda3 ino=20057 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Wed Jul 11 14:40:42 2012
type=SYSCALL msg=audit(1342010442.729:34817): arch=40000003 syscall=197 success=yes exit=0 a0=9 a1=bfe96998 a2=821ff4 a3=88827a8 items=0 ppid=1 pid=5406 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010442.729:34817): avc: denied { getattr } for pid=5406 comm="amavisd-snmp-su" path="/var/lib/net-snmp/mib_indexes/0" dev=sda3 ino=20057 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Wed Jul 11 14:40:43 2012
type=SYSCALL msg=audit(1342010443.190:34818): arch=40000003 syscall=195 success=yes exit=0 a0=88e83f8 a1=bfe96b90 a2=821ff4 a3=88e8409 items=0 ppid=1 pid=5406 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010443.190:34818): avc: denied { getattr } for pid=5406 comm="amavisd-snmp-su" path="/var/lib/net-snmp" dev=sda3 ino=25240 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Wed Jul 11 14:40:43 2012
type=SYSCALL msg=audit(1342010443.199:34819): arch=40000003 syscall=102 success=no exit=-111 a0=3 a1=bfe965c0 a2=9412bc a3=88e84e8 items=0 ppid=1 pid=5406 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010443.199:34819): avc: denied { name_connect } for pid=5406 comm="amavisd-snmp-su" dest=705 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket
----
time->Wed Jul 11 14:41:43 2012
type=SYSCALL msg=audit(1342010503.723:34821): arch=40000003 syscall=197 success=yes exit=0 a0=8 a1=bfe95a44 a2=821ff4 a3=891dc20 items=0 ppid=1 pid=5406 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010503.723:34821): avc: denied { getattr } for pid=5406 comm="amavisd-snmp-su" path="/var/lib/net-snmp/perl.conf" dev=sda3 ino=20573 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Wed Jul 11 14:41:44 2012
type=SYSCALL msg=audit(1342010504.030:34822): arch=40000003 syscall=5 success=yes exit=3 a0=8af2568 a1=98800 a2=b24074 a3=8ad3008 items=0 ppid=5424 pid=5425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010504.030:34822): avc: denied { open } for pid=5425 comm="amavisd-snmp-su" name="active" dev=sda3 ino=8315 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1342010504.030:34822): avc: denied { read } for pid=5425 comm="amavisd-snmp-su" name="active" dev=sda3 ino=8315 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=AVC msg=audit(1342010504.030:34822): avc: denied { search } for pid=5425 comm="amavisd-snmp-su" name="postfix" dev=sda3 ino=8314 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
----
time->Wed Jul 11 14:41:44 2012
type=SYSCALL msg=audit(1342010504.177:34823): arch=40000003 syscall=5 success=yes exit=8 a0=bf862560 a1=8000 a2=1b6 a3=38636f items=0 ppid=1 pid=5429 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010504.177:34823): avc: denied { read } for pid=5429 comm="amavisd-snmp-su" name="perl.conf" dev=sda3 ino=20573 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Wed Jul 11 14:41:43 2012
type=SYSCALL msg=audit(1342010503.723:34820): arch=40000003 syscall=5 success=yes exit=8 a0=bfe95c5c a1=8441 a2=1b6 a3=926b40 items=0 ppid=1 pid=5406 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010503.723:34820): avc: denied { append open } for pid=5406 comm="amavisd-snmp-su" name="perl.conf" dev=sda3 ino=20573 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1342010503.723:34820): avc: denied { create } for pid=5406 comm="amavisd-snmp-su" name="perl.conf" scontext=unconfined_u:system_r:amavis_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1342010503.723:34820): avc: denied { add_name } for pid=5406 comm="amavisd-snmp-su" name="perl.conf" scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1342010503.723:34820): avc: denied { write } for pid=5406 comm="amavisd-snmp-su" name="net-snmp" dev=sda3 ino=25240 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Wed Jul 11 14:42:45 2012
type=SYSCALL msg=audit(1342010565.007:34825): arch=40000003 syscall=10 success=yes exit=0 a0=bf86229c a1=3a22bc a2=3a22bc a3=0 items=0 ppid=1 pid=5429 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010565.007:34825): avc: denied { unlink } for pid=5429 comm="amavisd-snmp-su" name="perl.0.conf" dev=sda3 ino=20573 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
time->Wed Jul 11 14:42:45 2012
type=SYSCALL msg=audit(1342010565.007:34824): arch=40000003 syscall=38 success=yes exit=0 a0=bf86229c a1=bf86189c a2=3a22bc a3=29e35a items=0 ppid=1 pid=5429 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=unconfined_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1342010565.007:34824): avc: denied { rename } for pid=5429 comm="amavisd-snmp-su" name="perl.conf" dev=sda3 ino=20573 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1342010565.007:34824): avc: denied { remove_name } for pid=5429 comm="amavisd-snmp-su" name="perl.conf" dev=sda3 ino=20573 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
I added support for amavisd-snmp. Fixed in selinux-policy-3.7.19-159.el6 Here is another AVC that was reported during amavis test
selinux-policy-3.7.19-162.el6.noarch
selinux-policy-mls-3.7.19-162.el6.noarch
selinux-policy-targeted-3.7.19-162.el6.noarch
----
time->Tue Oct 2 14:41:30 2012
type=PATH msg=audit(1349181690.060:1038): item=0 name="/var/lib/net-snmp/mib_indexes" inode=146046 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:snmpd_var_lib_t:s0
type=CWD msg=audit(1349181690.060:1038): cwd="/"
type=SYSCALL msg=audit(1349181690.060:1038): arch=c000003e syscall=83 success=no exit=-13 a0=7ffface93800 a1=1c0 a2=ffffffffffffffa8 a3=1e items=1 ppid=1 pid=18820 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=59 comm="amavisd-snmp-su" exe="/usr/bin/perl" subj=system_u:system_r:amavis_t:s0 key=(null)
type=AVC msg=audit(1349181690.060:1038): avc: denied { create } for pid=18820 comm="amavisd-snmp-su" name="mib_indexes" scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
Following rule is in current policy, but { create } permission is missing.
allow amavis_t snmpd_var_lib_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
Added to selinux-policy-3.7.19-168.el6 That is something new. I just allowed it in Fedora. 1352742a2f224767657eff61504c46fc6576e32a Fixed in selinux-policy-3.7.19-182.el6
# sesearch -A -s amavis_t -t snmpd_var_lib_t -c sock_file
Found 2 semantic av rules:
allow amavis_t snmpd_var_lib_t : sock_file { write getattr append open } ;
allow antivirus_domain file_type : sock_file getattr ;
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |
Description of problem: Version-Release number of selected component (if applicable): amavisd-new-2.6.4-2.el6.noarch amavisd-new-snmp-2.6.4-2.el6.noarch selinux-policy-3.7.19-155.el6_3.noarch selinux-policy-doc-3.7.19-155.el6_3.noarch selinux-policy-minimum-3.7.19-155.el6_3.noarch selinux-policy-mls-3.7.19-155.el6_3.noarch selinux-policy-targeted-3.7.19-155.el6_3.noarch How reproducible: always Steps to Reproduce: 1. get a RHEL-6.3 machine 2. service amavisd-snmp restart 3. ausearch -m avc -ts recent -i Actual results: ---- type=SYSCALL msg=audit(07/11/2012 13:26:02.878:34480) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=9082568 a1=98800 a2=b24074 a3=9063008 items=0 ppid=2467 pid=2468 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=1 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(07/11/2012 13:26:02.878:34480) : avc: denied { search } for pid=2468 comm=amavisd-snmp-su name=postfix dev=sda3 ino=8314 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/11/2012 13:26:02.913:34483) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=bfc9eea0 a1=8241 a2=1b6 a3=92a7a0 items=0 ppid=1 pid=2472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(07/11/2012 13:26:02.913:34483) : avc: denied { search } for pid=2472 comm=amavisd-snmp-su name=net-snmp dev=sda3 ino=25240 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/11/2012 13:26:02.973:34491) : arch=i386 syscall=stat64 success=no exit=-13(Permission denied) a0=940bff0 a1=bfc9f140 a2=821ff4 a3=940c001 items=0 ppid=1 pid=2472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(07/11/2012 13:26:02.973:34491) : avc: denied { getattr } for pid=2472 comm=amavisd-snmp-su path=/var/lib/net-snmp dev=sda3 ino=25240 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir ---- type=SYSCALL msg=audit(07/11/2012 13:26:02.973:34492) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfc9eb70 a2=9412bc a3=940c018 items=0 ppid=1 pid=2472 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=amavisd-snmp-su exe=/usr/bin/perl subj=unconfined_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(07/11/2012 13:26:02.973:34492) : avc: denied { name_connect } for pid=2472 comm=amavisd-snmp-su dest=705 scontext=unconfined_u:system_r:amavis_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket ---- Expected results: * no AVCs