2131828 – RHDS SNMP agent fails to start with selinux SELinux errors

Bug 2131828 - RHDS SNMP agent fails to start with selinux SELinux errors

Summary: RHDS SNMP agent fails to start with selinux SELinux errors

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	11.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	DS11.7
Target Release:	dirsrv-11.7
Assignee:	LDAP Maintainers
QA Contact:	LDAP QA Team
Docs Contact:	Evgenia Martynyuk
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-10-03 20:20 UTC by Marc Sauton
Modified:	2023-07-28 08:51 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	IDMDS-3497	0	None	None	None	2023-07-28 08:51:45 UTC

Description Marc Sauton 2022-10-03 20:20:46 UTC

Description of problem:

The RHDS SNMP agent fails to start with selinux SELinux errors
There are several SELinux definitions that are missing 

Version-Release number of selected component (if applicable):
RHDS-11.5 on RHEL-8.6

How reproducible:
on demand

Steps to Reproduce:

1. Have RHDS-11.5 installed and an instance running with some data

2. for the admin guide to start the SNMP configuration
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/monitoring_ds_using_snmp#doc-wrapper
21.10. Monitoring Directory Server Using SNMP
21.10.4. Setting up an SNMP Agent for Directory Server

An RHDS instance is running:
dsctl m1 status
Instance "m1" is running

SNMP is configured:
systemctl start snmpd
ps ax | egrep "snmp|agent"
  35799 ?        Ss     0:00 /usr/sbin/snmpd -LS0-6d -f


3. 21.10.4. Setting up an SNMP Agent for Directory Server
Start the dirsrv-snmp service:


Actual results:

Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#



Expected results:
yes
see "solution" at the end of "Additional Information"



Additional info:

RHDS-11.5 RHEL-8.6

cat /etc/redhat-release ; uname -a ; rpm -q nss nspr 389-ds-base redhat-ds sssd
Red Hat Enterprise Linux release 8.6 (Ootpa)
Linux m1.example.test 4.18.0-372.9.1.el8.x86_64 #1 SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
nss-3.67.0-7.el8_5.x86_64
nspr-4.32.0-1.el8_4.x86_64
389-ds-base-1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
package redhat-ds is not installed
sssd-2.6.2-3.el8.x86_64
[root@m1 ~]#

yum module info redhat-ds:11 | less
...
Name             : redhat-ds
Stream           : 11 [d][e][a]
Version          : 8060020220328133644
Context          : fd2afb17
Architecture     : x86_64
Profiles         : default [d] [i], legacy, minimal
Default profiles : default
Repo             : dirsrv-11-for-rhel-8-x86_64-rpms
Summary          : Red Hat Directory Server 11.5
Description      : The Red Hat Directory Server is an LDAPv3 compliant server.
Requires         : platform:[el8]
Artifacts        : 389-ds-base-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.src
                 : 389-ds-base-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-debugsource-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-devel-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-legacy-tools-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-legacy-tools-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-libs-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-libs-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-snmp-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : 389-ds-base-snmp-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
                 : cockpit-389-ds-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.noarch
                 : python3-lib389-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.noarch

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled, [a]ctive
(END)


...


systemctl start dirsrv-snmp
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#


ps ax | egrep "snmp|agent"
  35799 ?        Ss     0:00 /usr/sbin/snmpd -LS0-6d -f
[root@m1 ~]#

snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB | grep -i rhds
->
nothing


less /var/log/messages
...
Oct  3 19:04:36 m1 setroubleshoot[57601]: SELinux is preventing /usr/sbin/snmpd from sys_ptrace access on the cap_userns labeled snmpd_t. For complete SELinux messages run: sealert -l d5ce697b-7ad1-41e8-8c69-0320ed90c703
Oct  3 19:04:36 m1 setroubleshoot[57601]: SELinux is preventing /usr/sbin/snmpd from sys_ptrace access on the cap_userns labeled snmpd_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that snmpd should be allowed sys_ptrace access on cap_userns labeled snmpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'snmpd' --raw | audit2allow -M my-snmpd#012# semodule -X 300 -i my-snmpd.pp#012
(END)


sealert -l d5ce697b-7ad1-41e8-8c69-0320ed90c703
SELinux is preventing /usr/sbin/snmpd from sys_ptrace access on the cap_userns labeled snmpd_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snmpd should be allowed sys_ptrace access on cap_userns labeled snmpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snmpd' --raw | audit2allow -M my-snmpd
MPORTANT ***********************
To make this policy package active, execute:

semodule -i my-snmpd.pp

[root@m1 ~]#


semodule -X 300 -i my-snmpd.pp

Source Context                system_u:system_r:snmpd_t:s0
Target Context                system_u:system_r:snmpd_t:s0
Target Objects                Unknown [ cap_userns ]
Source                        snmpd
Source Path                   /usr/sbin/snmpd
Port                          <Unknown>
Host                          m1.example.test
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-95.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-95.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     m1.example.test
Platform                      Linux m1.example.test 4.18.0-372.9.1.el8.x86_64 #1
                              SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64
Alert Count                   745
First Seen                    2022-10-03 18:58:32 GMT
Last Seen                     2022-10-03 19:03:40 GMT
Local ID                      d5ce697b-7ad1-41e8-8c69-0320ed90c703

Raw Audit Messages
type=AVC msg=audit(1664823820.832:970): avc:  denied  { sys_ptrace } for  pid=35799 comm="snmpd" capability=19  scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=cap_userns permissive=0


Hash: snmpd,snmpd_t,snmpd_t,cap_userns,sys_ptrace

[root@m1 ~]#

->

ausearch -c 'snmpd' --raw | audit2allow -M my-snmpd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-snmpd.pp
[root@m1 ~]#


semodule -X 300 -i my-snmpd.pp



systemctl start dirsrv-snmp
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#

journalctl -xe
Oct 03 19:14:11 m1.example.test systemd[1]: Starting 389 Directory Server SNMP Subagent....
-- Subject: Unit dirsrv-snmp.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit dirsrv-snmp.service has begun starting up.
Oct 03 19:14:11 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.211' (uid=0 pid=851 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using service>
Oct 03 19:14:11 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 03 19:14:13 m1.example.test setroubleshoot[60443]: Deleting alert d5ce697b-7ad1-41e8-8c69-0320ed90c703, it is allowed in current policy
Oct 03 19:14:13 m1.example.test setroubleshoot[60443]: AnalyzeThread.run(): Cancel pending alarm
Oct 03 19:14:13 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.543' (uid=991 pid=60443 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="syst>
Oct 03 19:14:13 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Oct 03 19:14:14 m1.example.test setroubleshoot[60443]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability. For complete SELinux messages run: sealert -l de96bd1a-58ba-47a9-b2a6-8afe1dd995fb
Oct 03 19:14:14 m1.example.test setroubleshoot[60443]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability.

                                                       *****  Plugin dac_override (91.4 confidence) suggests   **********************

                                                       If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
                                                       Then turn on full auditing to get path information about the offending file and generate the error again.
                                                       Do

                                                       Turn on full auditing
                                                       # auditctl -w /etc/shadow -p w
                                                       Try to recreate AVC. Then execute
                                                       # ausearch -m avc -ts recent
                                                       If you see PATH record check ownership/permissions on file, and fix it,
                                                       otherwise report as a bugzilla.

                                                       *****  Plugin catchall (9.59 confidence) suggests   **************************

                                                       If you believe that ldap-agent should have the dac_override capability by default.
                                                       Then you should report this as a bug.
                                                       You can generate a local policy module to allow this access.
                                                       Do
                                                       allow this access for now by executing:
                                                       # ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
                                                       # semodule -X 300 -i my-ldapagent.pp

Oct 03 19:14:14 m1.example.test setroubleshoot[60443]: AnalyzeThread.run(): Set alarm timeout to 10
Oct 03 19:14:16 m1.example.test setroubleshoot[60443]: AnalyzeThread.run(): Cancel pending alarm
...
-- Unit dirsrv-snmp.service has failed.
--
-- The result is failed.
lines 3659-3684/3684 (END)


ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-ldapagent.pp

[root@m1 ~]#


semodule -X 300 -i my-ldapagent.pp


systemctl start dirsrv-snmp
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#

Oct 03 19:20:11 m1.example.test systemd[1]: Starting 389 Directory Server SNMP Subagent....
-- Subject: Unit dirsrv-snmp.service has begun start-up
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- Unit dirsrv-snmp.service has begun starting up.
Oct 03 19:20:14 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.211' (uid=0 pid=851 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using service>
Oct 03 19:20:14 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 03 19:20:15 m1.example.test setroubleshoot[62262]: AnalyzeThread.run(): Cancel pending alarm
Oct 03 19:20:16 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.551' (uid=991 pid=62262 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="syst>
Oct 03 19:20:16 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Oct 03 19:20:16 m1.example.test setroubleshoot[62262]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability. For complete SELinux messages run: sealert -l de96bd1a-58ba-47a9-b2a6-8afe1dd995fb
Oct 03 19:20:16 m1.example.test setroubleshoot[62262]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability.

                                                       *****  Plugin dac_override (91.4 confidence) suggests   **********************

                                                       If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
                                                       Then turn on full auditing to get path information about the offending file and generate the error again.
                                                       Do

                                                       Turn on full auditing
                                                       # auditctl -w /etc/shadow -p w
                                                       Try to recreate AVC. Then execute
                                                       # ausearch -m avc -ts recent
                                                       If you see PATH record check ownership/permissions on file, and fix it,
                                                       otherwise report as a bugzilla.

                                                       *****  Plugin catchall (9.59 confidence) suggests   **************************

                                                       If you believe that ldap-agent should have the dac_override capability by default.
                                                       Then you should report this as a bug.
                                                       You can generate a local policy module to allow this access.
                                                       Do
                                                       allow this access for now by executing:
                                                       # ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
                                                       # semodule -X 300 -i my-ldapagent.pp

Oct 03 19:20:16 m1.example.test setroubleshoot[62262]: AnalyzeThread.run(): Set alarm timeout to 10
Oct 03 19:20:25 m1.example.test setroubleshoot[62262]: AnalyzeThread.run(): Cancel pending alarm


ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-ldapagent.pp

[root@m1 ~]#

semodule -X 300 -i my-ldapagent.pp


systemctl start dirsrv-snmp
FAILs


snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB | grep -i rhds
nothing



solution:


add some missing SELinux configuration:

cat << EOF > ~/rhds_snmp_selinux.te
module rhds_snmp_selinux 1.0;

require {
        type dirsrv_t;
        type kernel_t;
        type dirsrv_tmpfs_t;
        type dirsrv_var_run_t;
        type dirsrv_snmp_t;
        class file map;
        class dir write;
        class file { create map write };
        class dir add_name;
        class capability dac_override;
        class system module_request;
}

#============= dirsrv_snmp_t ==============

allow dirsrv_snmp_t dirsrv_var_run_t:dir write;
allow dirsrv_snmp_t dirsrv_var_run_t:dir add_name;
allow dirsrv_snmp_t dirsrv_var_run_t:file map;
allow dirsrv_snmp_t dirsrv_var_run_t:file create;
allow dirsrv_snmp_t dirsrv_var_run_t:file { create map };
allow dirsrv_snmp_t dirsrv_var_run_t:file write;
allow dirsrv_snmp_t self:capability dac_override;
allow dirsrv_t kernel_t:system module_request;

EOF

checkmodule -M -m -o ~/rhds_snmp_selinux.mod ~/rhds_snmp_selinux.te
semodule_package -o ~/rhds_snmp_selinux.pp -m ~/rhds_snmp_selinux.mod
semodule -i ~/rhds_snmp_selinux.pp


systemctl start dirsrv-snmp
[root@m1 ~]#

ps ax | egrep "snmp|agent|dirsrv"
   1351 ?        Ssl    0:19 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-m1 -i /run/dirsrv/slapd-m1.pid
  35799 ?        Ss     0:04 /usr/sbin/snmpd -LS0-6d -f
  65752 ?        S      0:00 /usr/sbin/ldap-agent /etc/dirsrv/config/ldap-agent.conf
[root@m1 ~]#


snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB | grep -i rhds
HOST-RESOURCES-MIB::hrSWRunParameters.66350 = STRING: "--color=auto -i rhds"

snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB .1.3.6.1.4.1.2312.6 | less
RHDS-MIB::dsAnonymousBinds.389 = Counter64: 0
RHDS-MIB::dsUnAuthBinds.389 = Counter64: 0
...snip...

Note You need to log in before you can comment on or make changes to this bug.