Bug 246431 - Updated net-snmp package needs policy upgrade
Updated net-snmp package needs policy upgrade
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
high Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-02 03:57 EDT by Michal Marciniszyn
Modified: 2014-02-10 18:03 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-24 11:06:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Marciniszyn 2007-07-02 03:57:05 EDT
Description of problem:
After installing net-snmp package for rhel 5.1 there are AVC denials with
current selinux policy. I tried to get all the AVC denials, so far there are
following rules in my custom policy module:

allow snmpd_t self:netlink_route_socket create;
allow snmpd_t self:netlink_route_socket { bind write };
allow snmpd_t etc_mail_t:dir search;
allow snmpd_t self:netlink_route_socket nlmsg_read;
allow snmpd_t etc_mail_t:file read;
allow snmpd_t self:netlink_route_socket read;
allow snmpd_t etc_mail_t:file getattr;
allow snmpd_t sendmail_log_t:dir search;
allow snmpd_t var_spool_t:dir search;
allow snmpd_t mqueue_spool_t:dir search;
allow snmpd_t sendmail_log_t:file read;
allow snmpd_t var_lib_t:file getattr;
allow snmpd_t var_lib_t:file { lock read };
allow snmpd_t tmp_t:dir getattr;
allow snmpd_t self:netlink_route_socket setopt;
allow snmpd_t usr_t:file write;

Version-Release number of selected component (if applicable):
net-snmp-5.3.1-18.el5.i386
(+ its utils and some other packages)
Comment 1 Daniel Walsh 2007-07-02 11:03:33 EDT
Please also install the updated selinux-policy package for RHEL
5.1selinux-policy-2.4.6-77  Which should have all of these fixed.
Comment 6 Michal Marciniszyn 2007-08-29 04:49:32 EDT
After installation of new snmpwalk package, updating configuration to include
all mibs to view, following avc's appear:
snmpwalk -v1 -c public localhost
allow snmpd_t mqueue_spool_t:dir read;
allow snmpd_t tmp_t:dir getattr;

snmpwalk -v2c -c public localhost
allow snmpd_t mnt_t:dir search;
allow snmpd_t sysctl_fs_t:dir search;
allow snmpd_t tmp_t:dir getattr;

when viewing the machine via snmpwalk.
Comment 7 Daniel Walsh 2007-08-29 06:13:15 EDT
Fixed in selinux-policy-2.4.6-86
Comment 8 Michal Marciniszyn 2007-09-03 11:31:08 EDT
The new version is still missing one rule for net-snmp. Namely
#============= snmpd_t ==============
allow snmpd_t mqueue_spool_t:dir read;

this one is not included. Please would you add it to the default policy?
Comment 9 Daniel Walsh 2007-09-04 10:37:32 EDT
Fixed in selinux-policy-2.4.6-88
Comment 11 Eduard Benes 2007-09-05 13:44:24 EDT
The new version (selinux-policy-2.4.6-88) is still missing two rules. Please, 
would you add it to the default policy?

.qa.[root@pipa02 ~]# rpm -q selinux-policy
selinux-policy-2.4.6-88.el5.noarch
.qa.[root@pipa02 ~]# rpm -q net-snmp
net-snmp-5.3.1-19.el5.x86_64
.qa.[root@pipa02 ~]# audit2allow < /var/log/audit/audit.log 


.qa.[root@pipa02 ~]# /etc/init.d/snmpd restart
Stopping snmpd:                                            [FAILED]
Starting snmpd:                                            [  OK  ]
.qa.[root@pipa02 ~]# audit2allow < /var/log/audit/audit.log 


#============= snmpd_t ==============
allow snmpd_t user_home_t:file getattr;
.qa.[root@pipa02 ~]# snmpwalk -v2c -c public localhost > v2c.log
.qa.[root@pipa02 ~]# audit2allow < /var/log/audit/audit.log 


#============= snmpd_t ==============
allow snmpd_t mqueue_spool_t:dir read;
allow snmpd_t user_home_t:file getattr;
.qa.[root@pipa02 ~]# snmpwalk -v1 -c public localhost | wc -l
16969
.qa.[root@pipa02 ~]# audit2allow < /var/log/audit/audit.log 


#============= snmpd_t ==============
allow snmpd_t mqueue_spool_t:dir read;
allow snmpd_t user_home_t:file getattr;
Comment 13 Daniel Walsh 2007-09-21 15:41:54 EDT
Fixed in selinux-policy-2.4.6-93 has 
allow snmpd_t mqueue_spool_t:dir read;

Could you attach the avc messages for the user_home_t?
Comment 15 Eduard Benes 2007-09-24 04:30:20 EDT
.qa.[root@pipa02 ~]# ausearch -m AVC -ts recent
<no matches> 
.qa.[root@pipa02 ~]# /etc/init.d/snmpd restart
Stopping snmpd:                                            [FAILED]
Starting snmpd:                                            [  OK  ]
.qa.[root@pipa02 ~]# ausearch -m AVC -ts recent
----
time->Mon Sep 24 10:26:35 2007
type=SYSCALL msg=audit(1190622395.384:7353): arch=c000003e syscall=4 
success=yes exit=0 a0=7fff3f0dd0c0 a1=7fff3f0dd120 a2=7fff3f0dd120 a3=0 items=0 
ppid=1 pid=28850 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) comm="snmpd" exe="/usr/sbin/snmpd" subj=root:system_r:snmpd_t:s0 
key=(null)
type=AVC msg=audit(1190622395.384:7353): avc:  denied  { getattr } for  
pid=28850 comm="snmpd" path="/root/.rpmmacros" dev=sda2 ino=12419197 
scontext=root:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_t:s0 
tclass=file
----
time->Mon Sep 24 10:26:35 2007
type=SYSCALL msg=audit(1190622395.384:7354): arch=c000003e syscall=2 
success=yes exit=9 a0=55555702f590 a1=0 a2=1b6 a3=1 items=0 ppid=1 pid=28850 
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
comm="snmpd" exe="/usr/sbin/snmpd" subj=root:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1190622395.384:7354): avc:  denied  { read } for  pid=28850 
comm="snmpd" name=".rpmmacros" dev=sda2 ino=12419197 
scontext=root:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_t:s0 
tclass=file
.qa.[root@pipa02 ~]# rpm -q selinux-policy
selinux-policy-2.4.6-93.el5.noarch
Comment 16 Daniel Walsh 2007-09-24 11:06:21 EDT
These types of bugs really can not be fixed well. This is just caused by the way
you have the system setup.  snmp does not really want to read this file,  if we
dontaudit this, we would be preventing the sysadm from seeing a compromized snmp
trying to read the users home directory or root directory.  I don't believe this
would happen in the normal running of the snmp daemon, IE on normal boot, so it
can be ignored.


Note You need to log in before you can comment on or make changes to this bug.