From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041114 Firefox/1.0 Description of problem: audit(1101340776.038:0): avc: denied { getattr } for pid=6016 exe=/usr/sbin/httpd path=/etc/krb5.conf dev=dm-0 ino=668442 scontext=root:system_r:httpd_t tcontext=system_u:object_r:krb5_conf_t tclass=file audit(1101341295.339:0): avc: denied { write } for pid=6202 exe=/usr/sbin/httpd name=mibs dev=dm-0 ino=1119599 scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir Version-Release number of selected component (if applicable): selinux-policy-targeted-1.19.4-3 How reproducible: Always Steps to Reproduce: See summary. Additional info:
Do you have allow_kerberos boolean set? This should be set to allow /etc/krb5.conf to be read? audit(1101341295.339:0): avc: denied { write } for pid=6202 exe=/usr/sbin/httpd name=mibs dev=dm-0 ino=1119599 scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=dir This looks like a mislable of some snmpd directories? Dan
It seems on by default in the /etc/selinux/targeted/booleans file that you ship. httpd_enable_cgi=1 httpd_enable_homedirs=1 httpd_ssi_exec=1 named_write_master_zones=0 httpd_unified=1 httpd_tty_comm=0 allow_ypbind=0 allow_kerberos=1 > This looks like a mislable of some snmpd directories? Well, after the rpm script problems were fixed I ran restorecon on basically everything, so all files should be policy compliant. Where is this file exactly - I can check.
ls -lZ /usr/share/snmp/mibs/.index -rw-r--r-- root root system_u:object_r:snmpd_var_lib_t /usr/share/snmp/mibs/.index Ok there is a bug in targeted policy for can_kerberos. I will fix it in tonights policy.
[root@cobra ~]# ls -lZ /usr/share/snmp/mibs/.index ls: /usr/share/snmp/mibs/.index: No such file or directory [root@cobra ~]# ls -lZ /usr/share/snmp/mibs/ -d drwxr-xr-x root root system_u:object_r:usr_t /usr/share/snmp/mibs/ [root@cobra ~]# restorecon /usr/share/snmp/mibs [root@cobra ~]# ls -lZ /usr/share/snmp/mibs/ -d drwxr-xr-x root root system_u:object_r:usr_t /usr/share/snmp/mibs/ [root@cobra ~]#
Ok the kerberos problem is solved in selinux-policy-targeted-1.19.7-1 The second problem can be solved by starting and stopping snmpd. I am not sure of a good way to fix this problem. Basically the .index file does not exist by default and the apache web server tries to write to the directory, If the file exists it has a context of snmpd_var_lib_t and apache is told to ignore it. If it does not exist apache tries to create it and gets an error writing to a usr_t directory. Dan
Fix confirmed. Starting and stopping smpd fixes problem, and also produces this: audit(1101844222.807:0): avc: denied { listen } for pid=2181 exe=/usr/sbin/snmpd lport=199 scontext=root:system_r:snmpd_t tcontext=root:system_r:snmpd_t tclass=tcp_socket
selinux-policy-targeted-1.19.8-1 should fix that.
Fix confirmed. Closing...