Description of problem: First attachment contains syslog avc output of snmpd start, second attachment the avc output while walking through every supported MIB. Version-Release number of selected component (if applicable): net-snmp-5.1.1 Additional info: According to audit2allow the following lines need to be added to the policy to allow snmpd to start without any complains. allow snmpd_t home_root_t:dir { search }; allow snmpd_t rpm_var_lib_t:dir { search }; allow snmpd_t rpm_var_lib_t:file { getattr }; allow snmpd_t var_log_t:dir { search }; allow snmpd_t var_log_t:file { getattr write }; allow snmpd_t var_t:dir { add_name remove_name write }; allow snmpd_t var_t:file { append create getattr read rename unlink }; Walking through every supported MIB requires also the following: allow snmpd_t amanda_dumpdates_t:file { getattr read }; allow snmpd_t apmd_t:dir { search }; allow snmpd_t apmd_t:file { getattr read }; allow snmpd_t cardmgr_t:dir { search }; allow snmpd_t cardmgr_t:file { getattr read }; allow snmpd_t crond_t:dir { search }; allow snmpd_t crond_t:file { getattr read }; allow snmpd_t cupsd_rw_etc_t:file { getattr read }; allow snmpd_t cupsd_t:dir { search }; allow snmpd_t cupsd_t:file { getattr read }; allow snmpd_t dbusd_t:dir { search }; allow snmpd_t dbusd_t:file { getattr read }; allow snmpd_t device_t:blk_file { read write }; allow snmpd_t dhcpc_t:dir { search }; allow snmpd_t dhcpc_t:file { getattr read }; allow snmpd_t fixed_disk_device_t:blk_file { getattr ioctl read }; allow snmpd_t fsdaemon_t:dir { search }; allow snmpd_t fsdaemon_t:file { getattr read }; allow snmpd_t getty_t:dir { search }; allow snmpd_t getty_t:file { getattr read }; allow snmpd_t home_root_t:dir { search }; allow snmpd_t init_t:dir { search }; allow snmpd_t init_t:file { getattr read }; allow snmpd_t initrc_t:dir { search }; allow snmpd_t initrc_t:file { getattr read }; allow snmpd_t initrc_var_run_t:file { lock read write }; allow snmpd_t kernel_t:dir { search }; allow snmpd_t kernel_t:file { getattr read }; allow snmpd_t klogd_t:dir { search }; allow snmpd_t klogd_t:file { getattr read }; allow snmpd_t nmbd_t:dir { search }; allow snmpd_t nmbd_t:file { getattr read }; allow snmpd_t ntpd_t:dir { search }; allow snmpd_t ntpd_t:file { getattr read }; allow snmpd_t pam_t:dir { search }; allow snmpd_t pam_t:file { getattr read }; allow snmpd_t postfix_master_t:dir { search }; allow snmpd_t postfix_master_t:file { getattr read }; allow snmpd_t removable_device_t:blk_file { read }; allow snmpd_t rpc_pipefs_t:dir { getattr }; allow snmpd_t rpm_var_lib_t:dir { add_name getattr search write }; allow snmpd_t rpm_var_lib_t:file { create getattr lock read write }; allow snmpd_t smbd_t:dir { search }; allow snmpd_t smbd_t:file { getattr read }; allow snmpd_t snmpd_t:capability { dac_override kill net_admin sys_nice }; allow snmpd_t sshd_t:dir { search }; allow snmpd_t sshd_t:file { getattr read }; allow snmpd_t sysfs_t:dir { getattr search }; allow snmpd_t syslogd_t:dir { search }; allow snmpd_t syslogd_t:file { getattr read }; allow snmpd_t udev_t:dir { search }; allow snmpd_t udev_t:file { getattr read }; allow snmpd_t user_gph_t:dir { search }; allow snmpd_t user_gph_t:file { getattr read }; allow snmpd_t user_screensaver_t:dir { search }; allow snmpd_t user_screensaver_t:file { getattr read }; allow snmpd_t user_ssh_agent_t:dir { search }; allow snmpd_t user_ssh_agent_t:file { getattr read }; allow snmpd_t user_ssh_t:dir { search }; allow snmpd_t user_ssh_t:file { getattr read }; allow snmpd_t user_t:dir { search }; allow snmpd_t user_t:file { getattr read }; allow snmpd_t user_t:process { signull }; allow snmpd_t var_lib_nfs_t:dir { search }; allow snmpd_t var_log_t:dir { search }; allow snmpd_t var_log_t:file { getattr write }; allow snmpd_t var_t:dir { add_name remove_name write }; allow snmpd_t var_t:file { append create getattr read rename unlink }; allow snmpd_t xdm_t:dir { search }; allow snmpd_t xdm_t:file { getattr read }; allow snmpd_t xdm_xserver_t:dir { search }; allow snmpd_t xdm_xserver_t:file { getattr read }; allow snmpd_t xfs_t:dir { search }; allow snmpd_t xfs_t:file { getattr read };
Created attachment 99106 [details] Log snippet from /var/log/messages on which audit2allow is based on
Created attachment 99107 [details] Log snippet from /var/log/messages when walking all mibs.
Daniel, could you check if those additions are ok and make sure they get into our policy file? Thanks, Read ya, Phil
I added alot of fixes for this in policy-1.10.1-6 Please check it out.
Ok, with policy-1.10.2-1 installed there's less avc denied errors. attached are logs snippets and suggestions from audit2allow.
Created attachment 99289 [details] syslog output from starting/stopping snmpd
Created attachment 99290 [details] audit2allow output from starting/stopping snmpd
Created attachment 99291 [details] syslog output from walking the whole tree
Created attachment 99292 [details] audit2allow output from walking the whole tree
Looks great with policy-1.10.2-5, no more avc denieds. Thanks. I'll go ahead and close this as RAWHIDE.