Bug 120025 - selinux policy support
selinux policy support
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: net-snmp (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Phil Knirsch
: SELinux
Depends On:
Blocks: FC2Target
  Show dependency treegraph
 
Reported: 2004-04-05 07:03 EDT by Kaj J. Niemi
Modified: 2015-03-04 20:13 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-11 09:44:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Log snippet from /var/log/messages on which audit2allow is based on (3.49 KB, text/plain)
2004-04-05 07:04 EDT, Kaj J. Niemi
no flags Details
Log snippet from /var/log/messages when walking all mibs. (25.55 KB, text/plain)
2004-04-05 07:05 EDT, Kaj J. Niemi
no flags Details
syslog output from starting/stopping snmpd (1.22 KB, text/plain)
2004-04-09 19:48 EDT, Kaj J. Niemi
no flags Details
audit2allow output from starting/stopping snmpd (90 bytes, text/plain)
2004-04-09 19:50 EDT, Kaj J. Niemi
no flags Details
syslog output from walking the whole tree (5.50 KB, text/plain)
2004-04-09 19:54 EDT, Kaj J. Niemi
no flags Details
audit2allow output from walking the whole tree (687 bytes, text/plain)
2004-04-09 19:55 EDT, Kaj J. Niemi
no flags Details

  None (edit)
Description Kaj J. Niemi 2004-04-05 07:03:15 EDT
Description of problem:
First attachment contains syslog avc output of snmpd start, second
attachment the avc output while walking through every supported MIB.

Version-Release number of selected component (if applicable):
net-snmp-5.1.1

Additional info:
According to audit2allow the following lines need to be added to the
policy to allow snmpd to start without any complains.

allow snmpd_t home_root_t:dir { search };
allow snmpd_t rpm_var_lib_t:dir { search };
allow snmpd_t rpm_var_lib_t:file { getattr };
allow snmpd_t var_log_t:dir { search };
allow snmpd_t var_log_t:file { getattr write };
allow snmpd_t var_t:dir { add_name remove_name write };
allow snmpd_t var_t:file { append create getattr read rename unlink };

Walking through every supported MIB requires also the following:

allow snmpd_t amanda_dumpdates_t:file { getattr read };
allow snmpd_t apmd_t:dir { search };
allow snmpd_t apmd_t:file { getattr read };
allow snmpd_t cardmgr_t:dir { search };
allow snmpd_t cardmgr_t:file { getattr read };
allow snmpd_t crond_t:dir { search };
allow snmpd_t crond_t:file { getattr read };
allow snmpd_t cupsd_rw_etc_t:file { getattr read };
allow snmpd_t cupsd_t:dir { search };
allow snmpd_t cupsd_t:file { getattr read };
allow snmpd_t dbusd_t:dir { search };
allow snmpd_t dbusd_t:file { getattr read };
allow snmpd_t device_t:blk_file { read write };
allow snmpd_t dhcpc_t:dir { search };
allow snmpd_t dhcpc_t:file { getattr read };
allow snmpd_t fixed_disk_device_t:blk_file { getattr ioctl read };
allow snmpd_t fsdaemon_t:dir { search };
allow snmpd_t fsdaemon_t:file { getattr read };
allow snmpd_t getty_t:dir { search };
allow snmpd_t getty_t:file { getattr read };
allow snmpd_t home_root_t:dir { search };
allow snmpd_t init_t:dir { search };
allow snmpd_t init_t:file { getattr read };
allow snmpd_t initrc_t:dir { search };
allow snmpd_t initrc_t:file { getattr read };
allow snmpd_t initrc_var_run_t:file { lock read write };
allow snmpd_t kernel_t:dir { search };
allow snmpd_t kernel_t:file { getattr read };
allow snmpd_t klogd_t:dir { search };
allow snmpd_t klogd_t:file { getattr read };
allow snmpd_t nmbd_t:dir { search };
allow snmpd_t nmbd_t:file { getattr read };
allow snmpd_t ntpd_t:dir { search };
allow snmpd_t ntpd_t:file { getattr read };
allow snmpd_t pam_t:dir { search };
allow snmpd_t pam_t:file { getattr read };
allow snmpd_t postfix_master_t:dir { search };
allow snmpd_t postfix_master_t:file { getattr read };
allow snmpd_t removable_device_t:blk_file { read };
allow snmpd_t rpc_pipefs_t:dir { getattr };
allow snmpd_t rpm_var_lib_t:dir { add_name getattr search write };
allow snmpd_t rpm_var_lib_t:file { create getattr lock read write };
allow snmpd_t smbd_t:dir { search };
allow snmpd_t smbd_t:file { getattr read };
allow snmpd_t snmpd_t:capability { dac_override kill net_admin sys_nice };
allow snmpd_t sshd_t:dir { search };
allow snmpd_t sshd_t:file { getattr read };
allow snmpd_t sysfs_t:dir { getattr search };
allow snmpd_t syslogd_t:dir { search };
allow snmpd_t syslogd_t:file { getattr read };
allow snmpd_t udev_t:dir { search };
allow snmpd_t udev_t:file { getattr read };
allow snmpd_t user_gph_t:dir { search };
allow snmpd_t user_gph_t:file { getattr read };
allow snmpd_t user_screensaver_t:dir { search };
allow snmpd_t user_screensaver_t:file { getattr read };
allow snmpd_t user_ssh_agent_t:dir { search };
allow snmpd_t user_ssh_agent_t:file { getattr read };
allow snmpd_t user_ssh_t:dir { search };
allow snmpd_t user_ssh_t:file { getattr read };
allow snmpd_t user_t:dir { search };
allow snmpd_t user_t:file { getattr read };
allow snmpd_t user_t:process { signull };
allow snmpd_t var_lib_nfs_t:dir { search };
allow snmpd_t var_log_t:dir { search };
allow snmpd_t var_log_t:file { getattr write };
allow snmpd_t var_t:dir { add_name remove_name write };
allow snmpd_t var_t:file { append create getattr read rename unlink };
allow snmpd_t xdm_t:dir { search };
allow snmpd_t xdm_t:file { getattr read };
allow snmpd_t xdm_xserver_t:dir { search };
allow snmpd_t xdm_xserver_t:file { getattr read };
allow snmpd_t xfs_t:dir { search };
allow snmpd_t xfs_t:file { getattr read };
Comment 1 Kaj J. Niemi 2004-04-05 07:04:30 EDT
Created attachment 99106 [details]
Log snippet from /var/log/messages on which audit2allow is based on
Comment 2 Kaj J. Niemi 2004-04-05 07:05:26 EDT
Created attachment 99107 [details]
Log snippet from /var/log/messages when walking all mibs.
Comment 3 Phil Knirsch 2004-04-08 10:32:07 EDT
Daniel, could you check if those additions are ok and make sure they
get into our policy file?

Thanks,

Read ya, Phil
Comment 4 Daniel Walsh 2004-04-08 11:55:36 EDT
I added alot of fixes for this in policy-1.10.1-6

Please check it out.
Comment 5 Kaj J. Niemi 2004-04-09 19:43:51 EDT
Ok, with policy-1.10.2-1 installed there's less avc denied errors.
attached are logs snippets and suggestions from audit2allow.
Comment 6 Kaj J. Niemi 2004-04-09 19:48:59 EDT
Created attachment 99289 [details]
syslog output from starting/stopping snmpd
Comment 7 Kaj J. Niemi 2004-04-09 19:50:05 EDT
Created attachment 99290 [details]
audit2allow output from starting/stopping snmpd
Comment 8 Kaj J. Niemi 2004-04-09 19:54:32 EDT
Created attachment 99291 [details]
syslog output from walking the whole tree
Comment 9 Kaj J. Niemi 2004-04-09 19:55:17 EDT
Created attachment 99292 [details]
audit2allow output from walking the whole tree
Comment 10 Kaj J. Niemi 2004-04-11 09:44:58 EDT
Looks great with policy-1.10.2-5, no more avc denieds. Thanks. I'll go
ahead and close this as RAWHIDE.

Note You need to log in before you can comment on or make changes to this bug.