From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Description of problem: Running snmpget against a server running httpd (and "proc httpd 30 5" in the config) reports: [root@dogwood rrdtool]# snmpget -v 2c mandio.cbs.dk -c library .1.3.6.1.4.1.2021.2.1.3.1 .1.3.6.1.4.1.2021.2.1.4.1 .1.3.6.1.4.1.2021.2.1.5.1 UCD-SNMP-MIB::prMin.1 = INTEGER: 5 UCD-SNMP-MIB::prMax.1 = INTEGER: 30 UCD-SNMP-MIB::prCount.1 = INTEGER: 0 And the server is running httpd: ..... 29475 ? S 1:12 /usr/sbin/httpd 29476 ? S 1:59 /usr/sbin/httpd 29477 ? S 1:44 /usr/sbin/httpd 31041 ? S 1:02 /usr/sbin/httpd 31042 ? S 0:41 /usr/sbin/httpd 31043 ? S 0:38 /usr/sbin/httpd 31511 ? Ss 0:00 sshd: root@pts/0 31517 pts/0 Ss 0:00 -bash 31591 ? S 0:00 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a 31806 ? S 0:09 /usr/sbin/httpd 31921 pts/0 R+ 0:00 ps ax [root@mandio log]# Version-Release number of selected component (if applicable): net-snmp-5.1.2-11 How reproducible: Always Steps to Reproduce: 1. snmpget -v 2c mandio.cbs.dk -c library .1.3.6.1.4.1.2021.2.1.3.1 .1.3.6.1.4.1.2021.2.1.4.1 .1.3.6.1.4.1.2021.2.1.5.1 Actual Results: UCD-SNMP-MIB::prMin.1 = INTEGER: 5 UCD-SNMP-MIB::prMax.1 = INTEGER: 30 UCD-SNMP-MIB::prCount.1 = INTEGER: 0 Expected Results: UCD-SNMP-MIB::prMin.1 = INTEGER: 5 UCD-SNMP-MIB::prMax.1 = INTEGER: 30 UCD-SNMP-MIB::prCount.1 = INTEGER: 23 (some number) Additional info:
This seems to be a SELinux issue. Can you please try if this also happens on your system when you have SELinux turned off? eg. try `setenforce 0` and `service snmpd restart`
Yes it seems to be a SELinux problem. After running "setenforce 0" it worked and stopped working again after "setenforce 1".
Are you seeing any avc messages in /var/log/messages or /var/log/audit/audit.log? Dan
There is no avc messages in /var/log/messages and I don't have audit running (no /var/log/audit/audit.log file).
Ok can you update to selinux policy rpms in U1. They are available in ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u1 Check to see if it works. If not, could you try install selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy make enableaudit; make load Then try to cause the problem and see if there are AVC messages. Dan
Doing: cd /etc/selinux/targeted/src/policy make enableaudit; make load Resulted in: May 19 16:50:01 mandio kernel: audit(1116514201.474:0): avc: denied { search } for pid=13916 exe=/usr/sbin/snmpd name=1 dev=proc ino=65538 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:unconfined_t tclass=dir Being printed in /var/log/messages Olso updated to: policycoreutils-1.18.1-4.3.i386.rpm setools-1.5.1-5.1.i386.rpm and did: cd /etc/selinux/targeted/src/policy make enableaudit; make load Reported the same avc error.
Ok one last thing. do setenforce 0 run snmp and see if it reports any other errors. Dan
Doing "setenforce 0" resulted in the following the first run, but any runs after did'nt print anything. --- May 19 17:22:54 mandio kernel: audit(1116516174.636:0): avc: denied { search } for pid=13916 exe=/usr/sbin/snmpd name=1 dev=proc ino=65538 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:unconfined_t tclass=dir May 19 17:22:54 mandio kernel: audit(1116516174.636:0): avc: denied { read } for pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=65540 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:unconfined_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.636:0): avc: denied { getattr } for pid=13916 exe=/usr/sbin/snmpd path=/proc/1/status dev=proc ino=65540 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:unconfined_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.639:0): avc: denied { search } for pid=13916 exe=/usr/sbin/snmpd name=1814 dev=proc ino=118882306 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:syslogd_t tclass=dir May 19 17:22:54 mandio kernel: audit(1116516174.639:0): avc: denied { read } for pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=118882308 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:syslogd_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.639:0): avc: denied { getattr } for pid=13916 exe=/usr/sbin/snmpd path=/proc/1814/status dev=proc ino=118882308 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:syslogd_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.640:0): avc: denied { search } for pid=13916 exe=/usr/sbin/snmpd name=1845 dev=proc ino=120913922 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:portmap_t tclass=dir May 19 17:22:54 mandio kernel: audit(1116516174.640:0): avc: denied { read } for pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=120913924 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:portmap_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.641:0): avc: denied { getattr } for pid=13916 exe=/usr/sbin/snmpd path=/proc/1845/status dev=proc ino=120913924 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:portmap_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.642:0): avc: denied { search } for pid=13916 exe=/usr/sbin/snmpd name=3161 dev=proc ino=207159298 scontext=user_u:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=dir May 19 17:22:54 mandio kernel: audit(1116516174.642:0): avc: denied { read } for pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=207159300 scontext=user_u:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc: denied { getattr } for pid=13916 exe=/usr/sbin/snmpd path=/proc/3161/status dev=proc ino=207159300 scontext=user_u:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc: denied { search } for pid=13916 exe=/usr/sbin/snmpd name=3270 dev=proc ino=214302722 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:ntpd_t tclass=dir May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc: denied { read } for pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=214302724 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:ntpd_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc: denied { getattr } for pid=13916 exe=/usr/sbin/snmpd path=/proc/3270/status dev=proc ino=214302724 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:ntpd_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc: denied { search } for pid=13916 exe=/usr/sbin/snmpd name=15085 dev=proc ino=988610562 scontext=user_u:system_r:snmpd_t tcontext=system_u:system_r:unconfined_t tclass=dir May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc: denied { read } for pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=988610564 scontext=user_u:system_r:snmpd_t tcontext=system_u:system_r:unconfined_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.643:0): avc: denied { getattr } for pid=13916 exe=/usr/sbin/snmpd path=/proc/15085/status dev=proc ino=988610564 scontext=user_u:system_r:snmpd_t tcontext=system_u:system_r:unconfined_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.644:0): avc: denied { search } for pid=13916 exe=/usr/sbin/snmpd name=16230 dev=proc ino=1063649282 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:httpd_t tclass=dir May 19 17:22:54 mandio kernel: audit(1116516174.644:0): avc: denied { read } for pid=13916 exe=/usr/sbin/snmpd name=status dev=proc ino=1063649284 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:httpd_t tclass=file May 19 17:22:54 mandio kernel: audit(1116516174.644:0): avc: denied { getattr } for pid=13916 exe=/usr/sbin/snmpd path=/proc/16230/status dev=proc ino=1063649284 scontext=user_u:system_r:snmpd_t tcontext=user_u:system_r:httpd_t tclass=file ----
Ok, I am going to add policy to allow this. Problem is it will take a while to get it into RHEL4/U2. You can set snmpd_disable_trans to disable snmp transition for now, if you want this behaviour to work. setsebool -P snmpd_disable_trans=1 service snmpd restart
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-645.html