Bug 120025 - selinux policy support
Summary: selinux policy support
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: net-snmp
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Phil Knirsch
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: FC2Target
TreeView+ depends on / blocked
 
Reported: 2004-04-05 11:03 UTC by Kaj J. Niemi
Modified: 2015-03-05 01:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-04-11 13:44:58 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Log snippet from /var/log/messages on which audit2allow is based on (3.49 KB, text/plain)
2004-04-05 11:04 UTC, Kaj J. Niemi
no flags Details
Log snippet from /var/log/messages when walking all mibs. (25.55 KB, text/plain)
2004-04-05 11:05 UTC, Kaj J. Niemi
no flags Details
syslog output from starting/stopping snmpd (1.22 KB, text/plain)
2004-04-09 23:48 UTC, Kaj J. Niemi
no flags Details
audit2allow output from starting/stopping snmpd (90 bytes, text/plain)
2004-04-09 23:50 UTC, Kaj J. Niemi
no flags Details
syslog output from walking the whole tree (5.50 KB, text/plain)
2004-04-09 23:54 UTC, Kaj J. Niemi
no flags Details
audit2allow output from walking the whole tree (687 bytes, text/plain)
2004-04-09 23:55 UTC, Kaj J. Niemi
no flags Details

Description Kaj J. Niemi 2004-04-05 11:03:15 UTC
Description of problem:
First attachment contains syslog avc output of snmpd start, second
attachment the avc output while walking through every supported MIB.

Version-Release number of selected component (if applicable):
net-snmp-5.1.1

Additional info:
According to audit2allow the following lines need to be added to the
policy to allow snmpd to start without any complains.

allow snmpd_t home_root_t:dir { search };
allow snmpd_t rpm_var_lib_t:dir { search };
allow snmpd_t rpm_var_lib_t:file { getattr };
allow snmpd_t var_log_t:dir { search };
allow snmpd_t var_log_t:file { getattr write };
allow snmpd_t var_t:dir { add_name remove_name write };
allow snmpd_t var_t:file { append create getattr read rename unlink };

Walking through every supported MIB requires also the following:

allow snmpd_t amanda_dumpdates_t:file { getattr read };
allow snmpd_t apmd_t:dir { search };
allow snmpd_t apmd_t:file { getattr read };
allow snmpd_t cardmgr_t:dir { search };
allow snmpd_t cardmgr_t:file { getattr read };
allow snmpd_t crond_t:dir { search };
allow snmpd_t crond_t:file { getattr read };
allow snmpd_t cupsd_rw_etc_t:file { getattr read };
allow snmpd_t cupsd_t:dir { search };
allow snmpd_t cupsd_t:file { getattr read };
allow snmpd_t dbusd_t:dir { search };
allow snmpd_t dbusd_t:file { getattr read };
allow snmpd_t device_t:blk_file { read write };
allow snmpd_t dhcpc_t:dir { search };
allow snmpd_t dhcpc_t:file { getattr read };
allow snmpd_t fixed_disk_device_t:blk_file { getattr ioctl read };
allow snmpd_t fsdaemon_t:dir { search };
allow snmpd_t fsdaemon_t:file { getattr read };
allow snmpd_t getty_t:dir { search };
allow snmpd_t getty_t:file { getattr read };
allow snmpd_t home_root_t:dir { search };
allow snmpd_t init_t:dir { search };
allow snmpd_t init_t:file { getattr read };
allow snmpd_t initrc_t:dir { search };
allow snmpd_t initrc_t:file { getattr read };
allow snmpd_t initrc_var_run_t:file { lock read write };
allow snmpd_t kernel_t:dir { search };
allow snmpd_t kernel_t:file { getattr read };
allow snmpd_t klogd_t:dir { search };
allow snmpd_t klogd_t:file { getattr read };
allow snmpd_t nmbd_t:dir { search };
allow snmpd_t nmbd_t:file { getattr read };
allow snmpd_t ntpd_t:dir { search };
allow snmpd_t ntpd_t:file { getattr read };
allow snmpd_t pam_t:dir { search };
allow snmpd_t pam_t:file { getattr read };
allow snmpd_t postfix_master_t:dir { search };
allow snmpd_t postfix_master_t:file { getattr read };
allow snmpd_t removable_device_t:blk_file { read };
allow snmpd_t rpc_pipefs_t:dir { getattr };
allow snmpd_t rpm_var_lib_t:dir { add_name getattr search write };
allow snmpd_t rpm_var_lib_t:file { create getattr lock read write };
allow snmpd_t smbd_t:dir { search };
allow snmpd_t smbd_t:file { getattr read };
allow snmpd_t snmpd_t:capability { dac_override kill net_admin sys_nice };
allow snmpd_t sshd_t:dir { search };
allow snmpd_t sshd_t:file { getattr read };
allow snmpd_t sysfs_t:dir { getattr search };
allow snmpd_t syslogd_t:dir { search };
allow snmpd_t syslogd_t:file { getattr read };
allow snmpd_t udev_t:dir { search };
allow snmpd_t udev_t:file { getattr read };
allow snmpd_t user_gph_t:dir { search };
allow snmpd_t user_gph_t:file { getattr read };
allow snmpd_t user_screensaver_t:dir { search };
allow snmpd_t user_screensaver_t:file { getattr read };
allow snmpd_t user_ssh_agent_t:dir { search };
allow snmpd_t user_ssh_agent_t:file { getattr read };
allow snmpd_t user_ssh_t:dir { search };
allow snmpd_t user_ssh_t:file { getattr read };
allow snmpd_t user_t:dir { search };
allow snmpd_t user_t:file { getattr read };
allow snmpd_t user_t:process { signull };
allow snmpd_t var_lib_nfs_t:dir { search };
allow snmpd_t var_log_t:dir { search };
allow snmpd_t var_log_t:file { getattr write };
allow snmpd_t var_t:dir { add_name remove_name write };
allow snmpd_t var_t:file { append create getattr read rename unlink };
allow snmpd_t xdm_t:dir { search };
allow snmpd_t xdm_t:file { getattr read };
allow snmpd_t xdm_xserver_t:dir { search };
allow snmpd_t xdm_xserver_t:file { getattr read };
allow snmpd_t xfs_t:dir { search };
allow snmpd_t xfs_t:file { getattr read };

Comment 1 Kaj J. Niemi 2004-04-05 11:04:30 UTC
Created attachment 99106 [details]
Log snippet from /var/log/messages on which audit2allow is based on

Comment 2 Kaj J. Niemi 2004-04-05 11:05:26 UTC
Created attachment 99107 [details]
Log snippet from /var/log/messages when walking all mibs.

Comment 3 Phil Knirsch 2004-04-08 14:32:07 UTC
Daniel, could you check if those additions are ok and make sure they
get into our policy file?

Thanks,

Read ya, Phil

Comment 4 Daniel Walsh 2004-04-08 15:55:36 UTC
I added alot of fixes for this in policy-1.10.1-6

Please check it out.

Comment 5 Kaj J. Niemi 2004-04-09 23:43:51 UTC
Ok, with policy-1.10.2-1 installed there's less avc denied errors.
attached are logs snippets and suggestions from audit2allow.

Comment 6 Kaj J. Niemi 2004-04-09 23:48:59 UTC
Created attachment 99289 [details]
syslog output from starting/stopping snmpd

Comment 7 Kaj J. Niemi 2004-04-09 23:50:05 UTC
Created attachment 99290 [details]
audit2allow output from starting/stopping snmpd

Comment 8 Kaj J. Niemi 2004-04-09 23:54:32 UTC
Created attachment 99291 [details]
syslog output from walking the whole tree

Comment 9 Kaj J. Niemi 2004-04-09 23:55:17 UTC
Created attachment 99292 [details]
audit2allow output from walking the whole tree

Comment 10 Kaj J. Niemi 2004-04-11 13:44:58 UTC
Looks great with policy-1.10.2-5, no more avc denieds. Thanks. I'll go
ahead and close this as RAWHIDE.


Note You need to log in before you can comment on or make changes to this bug.