Bug 231130 - snmpwalk triggers some unexpected access denied
snmpwalk triggers some unexpected access denied
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-06 07:35 EST by Peter Bieringer
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-21 09:22:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2007-03-06 07:35:11 EST
Description of problem:
Running snmpwalk against an SELinux enabled system triggers some unexpected
access denied messages.

Version-Release number of selected component (if applicable):


How reproducible:
on each snmpwak

Steps to Reproduce:
1. enable SNMP
2. run snmpwalk -v 1 -c public localhost
  
Actual results:

Mar  2 13:47:01 system audit(1172839621.508:6): avc:  denied  { read write } for
 pid=23865 comm="snmpd" name="utmp" dev=md1 ino=400807
scontext=system_u:system_r:snmpd_t tcontext=user_u:object_r:var_run_t tclas
s=file
Mar  2 13:47:01 system audit(1172839621.508:7): avc:  denied  { lock } for 
pid=23865 comm="snmpd" name="utmp" dev=md1 ino=400807
scontext=system_u:system_r:snmpd_t tcontext=user_u:object_r:var_run_t tclass=file
Mar  2 13:47:01 system audit(1172839621.515:8): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=usbfs ino=1345
scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Mar  2 13:47:01 system audit(1172839621.515:9): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=selinuxfs ino=184
scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:security_t tclas
s=dir
Mar  2 13:47:01 system audit(1172839621.557:10): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=md0 ino=2 scontext=system_u:system_r:snmpd_t
tcontext=system_u:object_r:boot_t tclass=dir
Mar  2 13:47:01 system audit(1172839621.559:11): avc:  denied  { search } for 
pid=23865 comm="snmpd" name="www" dev=md1 ino=18053
scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:httpd_sys_content_
t tclass=dir
Mar  2 13:47:01 system audit(1172839621.559:12): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=md3 ino=2 scontext=system_u:system_r:snmpd_t
tcontext=system_u:object_r:httpd_sys_content_t tcl
ass=dir
Mar  2 13:47:01 system audit(1172839621.561:13): avc:  denied  { search } for 
pid=23865 comm="snmpd" name="mnt" dev=md1 ino=432865
scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:mnt_t tclass=dir
Mar  2 13:47:01 system audit(1172839621.561:14): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=md4 ino=2 scontext=system_u:system_r:snmpd_t
tcontext=system_u:object_r:mnt_t tclass=dir
Mar  2 13:47:01 system audit(1172839621.563:15): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=md7 ino=2 scontext=system_u:system_r:snmpd_t
tcontext=system_u:object_r:tmp_t tclass=dir
Mar  2 13:47:01 system audit(1172839621.565:16): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=md8 ino=2 scontext=system_u:system_r:snmpd_t
tcontext=system_u:object_r:mail_spool_t tclass=dir
Mar  2 13:47:01 system audit(1172839621.567:17): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=md5 ino=2 scontext=system_u:system_r:snmpd_t
tcontext=system_u:object_r:home_root_t tclass=dir
Mar  2 13:47:01 system audit(1172839621.569:18): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=binfmt_misc ino=5826
scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:binfmt_misc_
fs_t tclass=dir
Mar  2 13:47:01 system audit(1172839621.571:19): avc:  denied  { search } for 
pid=23865 comm="snmpd" name="named" dev=md1 ino=96660
scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:named_zone_t tcl
ass=dir
Mar  2 13:47:01 system audit(1172839621.571:20): avc:  denied  { search } for 
pid=23865 comm="snmpd" name="chroot" dev=md1 ino=112318
scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:named_conf_t t
class=dir
Mar  2 13:52:30 system audit(1172839950.183:21): avc:  denied  { read write }
for  pid=23865 comm="snmpd" name="utmp" dev=md1 ino=400807
scontext=system_u:system_r:snmpd_t tcontext=user_u:object_r:var_run_t tcla
ss=file
Mar  2 13:52:30 system audit(1172839950.183:22): avc:  denied  { lock } for 
pid=23865 comm="snmpd" name="utmp" dev=md1 ino=400807
scontext=system_u:system_r:snmpd_t tcontext=user_u:object_r:var_run_t tclass=fil
e
Mar  2 13:52:30 system audit(1172839950.190:23): avc:  denied  { getattr } for 
pid=23865 comm="snmpd" name="/" dev=usbfs ino=1345
scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir



Expected results:
No such messages

Additional info:

audit2allow suggest following additional rules:

allow snmpd_t binfmt_misc_fs_t:dir getattr;
allow snmpd_t boot_t:dir getattr;
allow snmpd_t home_root_t:dir getattr;
allow snmpd_t httpd_sys_content_t:dir { getattr search };
allow snmpd_t mail_spool_t:dir getattr;
allow snmpd_t mnt_t:dir { getattr search };
allow snmpd_t named_conf_t:dir search;
allow snmpd_t named_zone_t:dir search;
allow snmpd_t security_t:dir getattr;
allow snmpd_t tmp_t:dir getattr;
allow snmpd_t usbfs_t:dir getattr;
allow snmpd_t var_run_t:file { lock read write };
Comment 1 Peter Bieringer 2007-03-06 07:36:59 EST
Forgot to specify version:
selinux-policy-targeted-1.17.30-2.141 (regardless permissive or enforced mode)
Comment 2 Glen Turner 2007-05-02 02:07:23 EDT
FC5 also adds:

allow snmpd_t sendmail_log_t:dir search;
allow snmpd_t self:netlink_route_socket create;
allow snmpd_t self:udp_socket connect;
allow snmpd_t var_spool_t:dir search;

I'm running in enforcing mode so their could well be more, as snmpd stopped
responding after trying to read the netlink route socket.
Comment 3 Glen Turner 2007-05-02 02:09:05 EDT
sealert -l a8cf7b04-93fb-49a5-abbd-97db1cfa786e
Summary
    SELinux is preventing /usr/sbin/snmpd (snmpd_t) "create" access to <Unknown>
    (snmpd_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/snmpd. It is not expected that
    this access is required by /usr/sbin/snmpd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "snmpd_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P snmpd_disable_trans=1."

    The following command will allow this access:
    setsebool -P snmpd_disable_trans=1

Additional Information:       

Source Context:               user_u:system_r:snmpd_t:s0
Target Context:               user_u:system_r:snmpd_t:s0
Target Objects:               None [ netlink_route_socket ]
Affected RPM Packages:        net-snmp-5.3.1-14.fc6 [application]
Policy RPM:                   selinux-policy-2.4.6-54.fc6
Selinux Enabled:              True
Policy Type:                  targeted
MLS Enabled:                  True
Enforcing Mode:               Enforcing
Plugin Name:                  plugins.disable_trans
Host Name:                    aix.gdt.id.au
Platform:                     Linux aix.gdt.id.au 2.6.20-1.2944.fc6 #1 SMP Tue
Apr 10 18:46:45 EDT 2007 i686 i686
Alert Count:                  23
Line Numbers:                 

Raw Audit Messages:           

avc: denied { create } for comm="snmpd" egid=0 euid=0 exe="/usr/sbin/snmpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=25386
scontext=user_u:system_r:snmpd_t:s0 sgid=0 subj=user_u:system_r:snmpd_t:s0
suid=0 tclass=netlink_route_socket tcontext=user_u:system_r:snmpd_t:s0
tty=(none) uid=0 
Comment 4 Daniel Walsh 2007-05-03 10:32:02 EDT
Please do not combine bugs for different versions and different OS.  RHEL4, FC5
and FC6 bugs can not be combined.


Note You need to log in before you can comment on or make changes to this bug.