Bug 922028

Summary: SELinux prevents snmptthandler from writing into /var/spool/snmptt/ directory
Product: Red Hat Enterprise Linux 6 Reporter: Michal Bruncko <michal.bruncko>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, ebenes, lnovich, mmalik, mtruneck, volker27
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-208.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 10:20:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Bruncko 2013-03-15 12:33:58 UTC 
Description of problem:
Selinux is preventing snmptthandler for making any operations within /var/spool/snmptt/ directory.

type=AVC msg=audit(1363348678.674:103900): avc:  denied  { write } for  pid=5399 comm="snmptthandler" name="snmptt" dev=dm-5 ino=3021 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1363348678.674:103900): avc:  denied  { add_name } for  pid=5399 comm="snmptthandler" name="#snmptt-trap-1363348678675183" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=AVC msg=audit(1363348678.674:103900): avc:  denied  { create } for  pid=5399 comm="snmptthandler" name="#snmptt-trap-1363348678675183" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=AVC msg=audit(1363348678.674:103900): avc:  denied  { write open } for  pid=5399 comm="snmptthandler" name="#snmptt-trap-1363348678675183" dev=dm-5 ino=1160 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1363348678.674:103900): arch=c000003e syscall=2 success=yes exit=8 a0=f41f80 a1=241 a2=1b6 a3=7fcbb984dc10 items=0 ppid=5398 pid=5399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snmptthandler" exe="/usr/bin/perl" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1363348678.675:103901): avc:  denied  { ioctl } for  pid=5399 comm="snmptthandler" path="/var/spool/snmptt/#snmptt-trap-1363348678675183" dev=dm-5 ino=1160 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1363348678.675:103901): arch=c000003e syscall=16 success=no exit=-25 a0=8 a1=5401 a2=7fff1890c4f0 a3=48 items=0 ppid=5398 pid=5399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snmptthandler" exe="/usr/bin/perl" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1363348678.675:103902): avc:  denied  { getattr } for  pid=5399 comm="snmptthandler" path="/var/spool/snmptt/#snmptt-trap-1363348678675183" dev=dm-5 ino=1160 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1363348678.675:103902): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=f1b0a0 a2=f1b0a0 a3=0 items=0 ppid=5398 pid=5399 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snmptthandler" exe="/usr/bin/perl" subj=system_u:system_r:snmpd_t:s0 key=(null)


[root@watchdog ~]# ll -Z /var/spool/ | grep snmptt
drwxr-xr-x. snmptt snmptt system_u:object_r:var_spool_t:s0 snmptt

#============= snmpd_t ==============
#!!!! The source type 'snmpd_t' can write to a 'dir' of the following types:
# snmpd_var_lib_t, snmpd_var_run_t, usr_t, var_t, var_lib_t, var_run_t, var_log_t, root_t

allow snmpd_t var_spool_t:dir { write add_name };
#!!!! The source type 'snmpd_t' can write to a 'file' of the following types:
# snmpd_var_lib_t, snmpd_var_run_t, snmpd_log_t, root_t

allow snmpd_t var_spool_t:file { write create open ioctl getattr };


-------> no type defined for /var/spool/snmptt/ directory


Version-Release number of selected component (if applicable):
snmptt-1.4-0.6.beta2.el6.noarch
selinux-policy-3.7.19-195.el6_4.3.noarch
selinux-policy-targeted-3.7.19-195.el6_4.3.noarch

How reproducible:
always


thanks
Comment 1 Daniel Walsh 2013-03-15 16:35:38 UTC 
# semanage fcontext -a -t snmpd_var_lib_t '/var/spool/snmptt(/.*)?'
# restorecon -R -v /var/spool

Should fix the problem.

We need to set this up as default labeling.
Comment 2 Daniel Walsh 2013-03-15 16:39:32 UTC 
e22c56cf4ef815b97a767f51e407a5264db3075d fixes this in Rawhide.
Comment 3 Michal Bruncko 2013-03-15 21:49:35 UTC 
Hi Daniel, thanks
did you mean that using snmpd_var_lib_t type for spool /var/spool/snmptt directory is temporary solution and you will create respective type for spool directory (i.e. snmpd_spool_t type)?

thank you
Comment 4 Miroslav Grepl 2013-03-18 13:11:39 UTC 
No, Dan added the labeling to the Fedora policy and I will back port it to the RHEL6.5.
Comment 5 Daniel Walsh 2013-03-19 21:27:27 UTC 
Michal no real reason to, they both have the same security requirements.
Comment 12 errata-xmlrpc 2013-11-21 10:20:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html