Bug 1285674 - SELinux prevents httpd (started by piranha-gui) from accessing /var/lib/net-snmp
Summary: SELinux prevents httpd (started by piranha-gui) from accessing /var/lib/net-snmp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.7
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-26 08:59 UTC by Milos Malik
Modified: 2016-05-10 20:02 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.7.19-285.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-10 20:02:40 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0763 0 normal SHIPPED_LIVE selinux-policy bug fix update 2016-05-10 22:33:46 UTC

Description Milos Malik 2015-11-26 08:59:49 UTC 
Description of problem:
 * this scenario is complicated because it needs a cooperation of multiple packages
 * it seems that piranha-gui service starts httpd, which runs as piranha_web_t, PHP support is by default enabled in the httpd configuration, the PHP module inside httpd wants to access the /var/lib/net-snmp directory when php-snmp package is installed

Version-Release number of selected component (if applicable):
httpd-2.2.15-45.el6.x86_64
httpd-tools-2.2.15-45.el6.x86_64
php-snmp-5.3.3-46.el6_6.x86_64
piranha-0.8.6-4.el6_5.2.x86_64
selinux-policy-3.7.19-283.el6.noarch
selinux-policy-doc-3.7.19-283.el6.noarch
selinux-policy-minimum-3.7.19-283.el6.noarch
selinux-policy-mls-3.7.19-283.el6.noarch
selinux-policy-targeted-3.7.19-283.el6.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get RHEL-6.7 machine which runs the targeted policy
2. start the piranha-gui service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PATH msg=audit(11/26/2015 09:04:44.791:382) : item=0 name=/var/lib/net-snmp inode=3512 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/26/2015 09:04:44.791:382) :  cwd=/ 
type=SYSCALL msg=audit(11/26/2015 09:04:44.791:382) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f96f2d33f80 a1=0x7fffde0219f0 a2=0x7fffde0219f0 a3=0x12 items=1 ppid=1 pid=15283 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) 
type=AVC msg=audit(11/26/2015 09:04:44.791:382) : avc:  denied  { getattr } for  pid=15283 comm=httpd path=/var/lib/net-snmp dev=vda3 ino=3512 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----
type=PATH msg=audit(11/26/2015 09:04:44.791:383) : item=0 name=/var/lib/net-snmp/mib_indexes inode=3512 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/26/2015 09:04:44.791:383) :  cwd=/ 
type=SYSCALL msg=audit(11/26/2015 09:04:44.791:383) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fffde021ac0 a1=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a2=0x7fffde021add a3=0x0 items=1 ppid=1 pid=15283 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) 
type=AVC msg=audit(11/26/2015 09:04:44.791:383) : avc:  denied  { search } for  pid=15283 comm=httpd name=net-snmp dev=vda3 ino=3512 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir 
----

Expected results:
 * no SELinux denials
Comment 1 Milos Malik 2015-11-26 09:07:07 UTC 
Actual results from another machine (permissive mode):
----
time->Thu Nov 26 04:04:03 2015
type=PATH msg=audit(1448528643.223:328): item=0 name="/var/lib/net-snmp" inode=400635 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL
type=CWD msg=audit(1448528643.223:328):  cwd="/"
type=SYSCALL msg=audit(1448528643.223:328): arch=c000003e syscall=4 success=yes exit=0 a0=7fbdebbc7da0 a1=7ffe5a43bdb0 a2=7ffe5a43bdb0 a3=12 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.223:328): avc:  denied  { getattr } for  pid=30454 comm="httpd" path="/var/lib/net-snmp" dev=vda1 ino=400635 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Thu Nov 26 04:04:03 2015
type=PATH msg=audit(1448528643.225:329): item=0 name="/var/lib/net-snmp/snmp.0.conf" nametype=UNKNOWN
type=CWD msg=audit(1448528643.225:329):  cwd="/"
type=SYSCALL msg=audit(1448528643.225:329): arch=c000003e syscall=4 success=no exit=-2 a0=7ffe5a43be40 a1=7ffe5a43bdb0 a2=7ffe5a43bdb0 a3=0 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.225:329): avc:  denied  { search } for  pid=30454 comm="httpd" name="net-snmp" dev=vda1 ino=400635 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Thu Nov 26 04:04:03 2015
type=PATH msg=audit(1448528643.225:330): item=0 name="/var/lib/net-snmp/mib_indexes" inode=401260 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL
type=CWD msg=audit(1448528643.225:330):  cwd="/"
type=SYSCALL msg=audit(1448528643.225:330): arch=c000003e syscall=2 success=yes exit=8 a0=7ffe5a43be80 a1=90800 a2=7ffe5a43be9d a3=0 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.225:330): avc:  denied  { open } for  pid=30454 comm="httpd" name="mib_indexes" dev=vda1 ino=401260 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1448528643.225:330): avc:  denied  { read } for  pid=30454 comm="httpd" name="mib_indexes" dev=vda1 ino=401260 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Thu Nov 26 04:04:03 2015
type=PATH msg=audit(1448528643.226:331): item=0 name="/var/lib/net-snmp/mib_indexes/0" inode=402188 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:snmpd_var_lib_t:s0 nametype=NORMAL
type=CWD msg=audit(1448528643.226:331):  cwd="/"
type=SYSCALL msg=audit(1448528643.226:331): arch=c000003e syscall=2 success=yes exit=9 a0=7ffe5a43be80 a1=0 a2=1b6 a3=0 items=1 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.226:331): avc:  denied  { open } for  pid=30454 comm="httpd" name="0" dev=vda1 ino=402188 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1448528643.226:331): avc:  denied  { read } for  pid=30454 comm="httpd" name="0" dev=vda1 ino=402188 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1448528643.226:331): avc:  denied  { search } for  pid=30454 comm="httpd" name="mib_indexes" dev=vda1 ino=401260 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
----
time->Thu Nov 26 04:04:03 2015
type=SYSCALL msg=audit(1448528643.226:332): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7ffe5a43bbc0 a2=7ffe5a43bbc0 a3=0 items=0 ppid=1 pid=30454 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:piranha_web_t:s0 key=(null)
type=AVC msg=audit(1448528643.226:332): avc:  denied  { getattr } for  pid=30454 comm="httpd" path="/var/lib/net-snmp/mib_indexes/0" dev=vda1 ino=402188 scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
----
Comment 2 Miroslav Grepl 2015-11-30 11:57:22 UTC 
We have

optional_policy(`
    snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
    snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
')

in RHEL-7.
Comment 6 errata-xmlrpc 2016-05-10 20:02:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0763.html
Note You need to log in before you can comment on or make changes to this bug.