Bug 843443
Summary: | SELinux prevents snmpd (snmpd_t) from writing to /var/run/clumond.sock (ricci_modcluster_var_run_t) | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 5.9 | CC: | dwalsh, jpokorny, ksrot | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-2.4.6-331.el5 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 849262 (view as bug list) | Environment: | ||
Last Closed: | 2013-01-08 03:32:45 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Milos Malik
2012-07-26 10:47:13 UTC
Following AVCs appeared in permissive mode: ---- type=PATH msg=audit(07/26/2012 12:52:45.042:183) : item=0 name=(null) inode=66086 dev=03:03 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=root:object_r:ricci_modcluster_var_run_t:s0 type=SOCKETCALL msg=audit(07/26/2012 12:52:45.042:183) : nargs=3 a0=c a1=bfaa8b1a a2=6e type=SOCKADDR msg=audit(07/26/2012 12:52:45.042:183) : saddr=local /var/run/clumond.sock type=SYSCALL msg=audit(07/26/2012 12:52:45.042:183) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfaa8ad0 a2=e08710 a3=0 items=1 ppid=1 pid=13698 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=snmpd exe=/usr/sbin/snmpd subj=root:system_r:snmpd_t:s0 key=(null) type=AVC msg=audit(07/26/2012 12:52:45.042:183) : avc: denied { connectto } for pid=13698 comm=snmpd path=/var/run/clumond.sock scontext=root:system_r:snmpd_t:s0 tcontext=root:system_r:ricci_modclusterd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(07/26/2012 12:52:45.042:183) : avc: denied { write } for pid=13698 comm=snmpd name=clumond.sock dev=hda3 ino=66086 scontext=root:system_r:snmpd_t:s0 tcontext=root:object_r:ricci_modcluster_var_run_t:s0 tclass=sock_file ---- This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. We need to backport fixes from RHEL6 for this. Fixed in selinux-policy-2.4.6-330.el5 Fixed in selinux-policy-2.4.6-331.el5 Thanks for (even) noticing this and please have a look at something similar for RHEL 6.3 (haven't tested previous minor releases): bug 849262. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html |