Bug 849262

Summary: SELinux is preventing /usr/sbin/snmpd (snmpd_t) from write access on the sock_file /var/run/cman_client (corosync_var_run_t)
Product: Red Hat Enterprise Linux 6 Reporter: Jan Pokorný [poki] <jpokorny>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-160.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 843443 Environment:
Last Closed: 2013-02-21 08:27:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pokorný [poki] 2012-08-17 21:37:45 UTC 
Thanks for noticing bug 843443, this is more-or-less the clone.
I guess the same test/verification or its subset may apply here.

type=AVC msg=audit(1345224014.609:5754): avc:  denied  { write }
  for  pid=3795 comm="snmpd" name="cman_client"
  dev=vda2 ino=144815
  scontext=unconfined_u:system_r:snmpd_t:s0
  tcontext=unconfined_u:object_r:corosync_var_run_t:s0
  tclass=sock_file 
type=AVC msg=audit(1345224053.239:5756): avc:  denied  { connectto }
  for  pid=3795 comm="snmpd" path="/var/run/cman_client"
  scontext=unconfined_u:system_r:snmpd_t:s0
  tcontext=unconfined_u:system_r:corosync_t:s0
  tclass=unix_stream_socket 
type=SYSCALL msg=audit(1345224053.239:5756):
  arch=c000003e syscall=42 success=yes exit=0
  a0=a a1=7fffdef9cb50 a2=6e a3=60 items=0 ppid=1 pid=3795
  auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
  tty=(none) ses=163 comm="snmpd" exe="/usr/sbin/snmpd"
  subj=unconfined_u:system_r:snmpd_t:s0 key=(null) 


For some reason, I haven't hit this RHEL 5 one:
> SELinux prevents snmpd (snmpd_t) from writing to /var/run/clumond.sock
> (ricci_modcluster_var_run_t)
-- it may be already handled as a side-effect of previous changes.


Practically, the enforcing vs. permissive mode means this change like this:

$ snmpwalk -mREDHAT-CLUSTER-MIB -v2c localhost -c public 1.3.6.1.4.1.2312.8
[...]
REDHAT-CLUSTER-MIB::rhcClusterVotesNeededForQuorum.0 = INTEGER: 0
REDHAT-CLUSTER-MIB::rhcClusterVotes.0 = INTEGER: 2
REDHAT-CLUSTER-MIB::rhcClusterQuorate.0 = INTEGER: 0
[...]

vs.

$ snmpwalk -mREDHAT-CLUSTER-MIB -v 2c localhost -c public 1.3.6.1.4.1.2312.8
[...]
REDHAT-CLUSTER-MIB::rhcClusterVotesNeededForQuorum.0 = INTEGER: 2
REDHAT-CLUSTER-MIB::rhcClusterVotes.0 = INTEGER: 2
REDHAT-CLUSTER-MIB::rhcClusterQuorate.0 = INTEGER: 1
[...]

This is caused by the unability of cluster SNMP agent to access
/var/run/cman_client to get the info about quorum.


# rpm -q selinux-policy selinux-policy-targeted cluster-snmp net-snmp
selinux-policy-3.7.19-154.el6.noarch
selinux-policy-targeted-3.7.19-154.el6.noarch
cluster-snmp-0.16.2-18.el6.x86_64
net-snmp-5.5-41.el6.x86_6
Comment 2 Milos Malik 2012-08-18 19:29:59 UTC 
This AVC shows up in enforcing mode:

----
type=PATH msg=audit(08/18/2012 21:07:28.501:32732) : item=0 name=(null) inode=31552 dev=08:03 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_var_run_t:s0 
type=SOCKADDR msg=audit(08/18/2012 21:07:28.501:32732) : saddr=local /var/run/cman_client 
type=SOCKETCALL msg=audit(08/18/2012 21:07:28.501:32732) : nargs=3 a0=b a1=bf97119e a2=6e 
type=SYSCALL msg=audit(08/18/2012 21:07:28.501:32732) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bf971160 a2=5da428 a3=21e52d8 items=1 ppid=1 pid=11602 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=snmpd exe=/usr/sbin/snmpd subj=unconfined_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(08/18/2012 21:07:28.501:32732) : avc:  denied  { write } for  pid=11602 comm=snmpd name=cman_client dev=sda3 ino=31552 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file 
----

And these AVCs show up in permissive mode:

----
type=PATH msg=audit(08/18/2012 21:26:52.222:32788) : item=0 name=(null) inode=31552 dev=08:03 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_var_run_t:s0 
type=SOCKADDR msg=audit(08/18/2012 21:26:52.222:32788) : saddr=local /var/run/cman_client 
type=SOCKETCALL msg=audit(08/18/2012 21:26:52.222:32788) : nargs=3 a0=b a1=bfcab73e a2=6e 
type=SYSCALL msg=audit(08/18/2012 21:26:52.222:32788) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfcab700 a2=94e428 a3=1e7d868 items=1 ppid=1 pid=12231 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=snmpd exe=/usr/sbin/snmpd subj=unconfined_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(08/18/2012 21:26:52.222:32788) : avc:  denied  { connectto } for  pid=12231 comm=snmpd path=/var/run/cman_client scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=unix_stream_socket 
type=AVC msg=audit(08/18/2012 21:26:52.222:32788) : avc:  denied  { write } for  pid=12231 comm=snmpd name=cman_client dev=sda3 ino=31552 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file 
----
Comment 3 Miroslav Grepl 2012-08-20 09:57:55 UTC 
Added to Fedora. Will backport.
Comment 6 errata-xmlrpc 2013-02-21 08:27:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html