Bug 978864

Summary: net-snmp agentXperms chown denied by selinux
Product: Red Hat Enterprise Linux 5 Reporter: Trevor Hemsley <trevor.hemsley>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.9CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-346.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-30 22:25:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Trevor Hemsley 2013-06-27 08:55:35 UTC 
Description of problem:
The agentXperms snmpd.conf directive attempts to chmod the agentx socket and fails due to an avc. Issue identical to https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=556688 but for el5 (and possibly el6?)

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Install net-snmp
2. Include the following in /etc/snmp/snmpd.conf
master agentx
agentXSocket /var/agentx/master
agentXPerms 0660 0555 root asterisk
3. Run `service snmpd restart`


Actual results:
ls -la /var/agentx shows ownership is still root:root and an avc is generated

type=AVC msg=audit(1372321467.050:14571): avc:  denied  { chown } for  pid=2747 comm="snmpd" capability=0 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:system_r:snmpd_t:s0 tclass=capability


Expected results:
Ownership of /var/agentx/master should be as specified in snmpd.conf

Additional info:
Bug already reported and fixed for Fedora 12 it seems.
Comment 2 RHEL Program Management 2013-07-02 08:58:28 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Daniel Walsh 2013-07-02 11:03:46 UTC 
We have this rule in fedora.
Comment 4 Miroslav Grepl 2013-07-03 12:45:16 UTC 
Trevor,
you can allow it using

# grep snmpd_t /var/log/audit/audit.log |audit2allow -M mypol
# semodule -i mypol.pp
Comment 5 Trevor Hemsley 2013-07-03 12:57:01 UTC 
Thanks Miroslav, I've already added a local policy to allow this but given that it was reported and fixed in f12, I figured this should be in the RHEL supplied policy too, hence the bugzilla.
Comment 9 errata-xmlrpc 2013-09-30 22:25:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1312.html