Bug 849262
Summary: | SELinux is preventing /usr/sbin/snmpd (snmpd_t) from write access on the sock_file /var/run/cman_client (corosync_var_run_t) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Pokorný [poki] <jpokorny> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.3 | CC: | dwalsh, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-160.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 843443 | Environment: | |
Last Closed: | 2013-02-21 08:27:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Pokorný [poki]
2012-08-17 21:37:45 UTC
This AVC shows up in enforcing mode: ---- type=PATH msg=audit(08/18/2012 21:07:28.501:32732) : item=0 name=(null) inode=31552 dev=08:03 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_var_run_t:s0 type=SOCKADDR msg=audit(08/18/2012 21:07:28.501:32732) : saddr=local /var/run/cman_client type=SOCKETCALL msg=audit(08/18/2012 21:07:28.501:32732) : nargs=3 a0=b a1=bf97119e a2=6e type=SYSCALL msg=audit(08/18/2012 21:07:28.501:32732) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bf971160 a2=5da428 a3=21e52d8 items=1 ppid=1 pid=11602 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=snmpd exe=/usr/sbin/snmpd subj=unconfined_u:system_r:snmpd_t:s0 key=(null) type=AVC msg=audit(08/18/2012 21:07:28.501:32732) : avc: denied { write } for pid=11602 comm=snmpd name=cman_client dev=sda3 ino=31552 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file ---- And these AVCs show up in permissive mode: ---- type=PATH msg=audit(08/18/2012 21:26:52.222:32788) : item=0 name=(null) inode=31552 dev=08:03 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_var_run_t:s0 type=SOCKADDR msg=audit(08/18/2012 21:26:52.222:32788) : saddr=local /var/run/cman_client type=SOCKETCALL msg=audit(08/18/2012 21:26:52.222:32788) : nargs=3 a0=b a1=bfcab73e a2=6e type=SYSCALL msg=audit(08/18/2012 21:26:52.222:32788) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfcab700 a2=94e428 a3=1e7d868 items=1 ppid=1 pid=12231 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=snmpd exe=/usr/sbin/snmpd subj=unconfined_u:system_r:snmpd_t:s0 key=(null) type=AVC msg=audit(08/18/2012 21:26:52.222:32788) : avc: denied { connectto } for pid=12231 comm=snmpd path=/var/run/cman_client scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=unix_stream_socket type=AVC msg=audit(08/18/2012 21:26:52.222:32788) : avc: denied { write } for pid=12231 comm=snmpd name=cman_client dev=sda3 ino=31552 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file ---- Added to Fedora. Will backport. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |