Description of problem: After installing net-snmp package for rhel 5.1 there are AVC denials with current selinux policy. I tried to get all the AVC denials, so far there are following rules in my custom policy module: allow snmpd_t self:netlink_route_socket create; allow snmpd_t self:netlink_route_socket { bind write }; allow snmpd_t etc_mail_t:dir search; allow snmpd_t self:netlink_route_socket nlmsg_read; allow snmpd_t etc_mail_t:file read; allow snmpd_t self:netlink_route_socket read; allow snmpd_t etc_mail_t:file getattr; allow snmpd_t sendmail_log_t:dir search; allow snmpd_t var_spool_t:dir search; allow snmpd_t mqueue_spool_t:dir search; allow snmpd_t sendmail_log_t:file read; allow snmpd_t var_lib_t:file getattr; allow snmpd_t var_lib_t:file { lock read }; allow snmpd_t tmp_t:dir getattr; allow snmpd_t self:netlink_route_socket setopt; allow snmpd_t usr_t:file write; Version-Release number of selected component (if applicable): net-snmp-5.3.1-18.el5.i386 (+ its utils and some other packages)
Please also install the updated selinux-policy package for RHEL 5.1selinux-policy-2.4.6-77 Which should have all of these fixed.
After installation of new snmpwalk package, updating configuration to include all mibs to view, following avc's appear: snmpwalk -v1 -c public localhost allow snmpd_t mqueue_spool_t:dir read; allow snmpd_t tmp_t:dir getattr; snmpwalk -v2c -c public localhost allow snmpd_t mnt_t:dir search; allow snmpd_t sysctl_fs_t:dir search; allow snmpd_t tmp_t:dir getattr; when viewing the machine via snmpwalk.
Fixed in selinux-policy-2.4.6-86
The new version is still missing one rule for net-snmp. Namely #============= snmpd_t ============== allow snmpd_t mqueue_spool_t:dir read; this one is not included. Please would you add it to the default policy?
Fixed in selinux-policy-2.4.6-88
The new version (selinux-policy-2.4.6-88) is still missing two rules. Please, would you add it to the default policy? .qa.[root@pipa02 ~]# rpm -q selinux-policy selinux-policy-2.4.6-88.el5.noarch .qa.[root@pipa02 ~]# rpm -q net-snmp net-snmp-5.3.1-19.el5.x86_64 .qa.[root@pipa02 ~]# audit2allow < /var/log/audit/audit.log .qa.[root@pipa02 ~]# /etc/init.d/snmpd restart Stopping snmpd: [FAILED] Starting snmpd: [ OK ] .qa.[root@pipa02 ~]# audit2allow < /var/log/audit/audit.log #============= snmpd_t ============== allow snmpd_t user_home_t:file getattr; .qa.[root@pipa02 ~]# snmpwalk -v2c -c public localhost > v2c.log .qa.[root@pipa02 ~]# audit2allow < /var/log/audit/audit.log #============= snmpd_t ============== allow snmpd_t mqueue_spool_t:dir read; allow snmpd_t user_home_t:file getattr; .qa.[root@pipa02 ~]# snmpwalk -v1 -c public localhost | wc -l 16969 .qa.[root@pipa02 ~]# audit2allow < /var/log/audit/audit.log #============= snmpd_t ============== allow snmpd_t mqueue_spool_t:dir read; allow snmpd_t user_home_t:file getattr;
Fixed in selinux-policy-2.4.6-93 has allow snmpd_t mqueue_spool_t:dir read; Could you attach the avc messages for the user_home_t?
.qa.[root@pipa02 ~]# ausearch -m AVC -ts recent <no matches> .qa.[root@pipa02 ~]# /etc/init.d/snmpd restart Stopping snmpd: [FAILED] Starting snmpd: [ OK ] .qa.[root@pipa02 ~]# ausearch -m AVC -ts recent ---- time->Mon Sep 24 10:26:35 2007 type=SYSCALL msg=audit(1190622395.384:7353): arch=c000003e syscall=4 success=yes exit=0 a0=7fff3f0dd0c0 a1=7fff3f0dd120 a2=7fff3f0dd120 a3=0 items=0 ppid=1 pid=28850 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="snmpd" exe="/usr/sbin/snmpd" subj=root:system_r:snmpd_t:s0 key=(null) type=AVC msg=audit(1190622395.384:7353): avc: denied { getattr } for pid=28850 comm="snmpd" path="/root/.rpmmacros" dev=sda2 ino=12419197 scontext=root:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file ---- time->Mon Sep 24 10:26:35 2007 type=SYSCALL msg=audit(1190622395.384:7354): arch=c000003e syscall=2 success=yes exit=9 a0=55555702f590 a1=0 a2=1b6 a3=1 items=0 ppid=1 pid=28850 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="snmpd" exe="/usr/sbin/snmpd" subj=root:system_r:snmpd_t:s0 key=(null) type=AVC msg=audit(1190622395.384:7354): avc: denied { read } for pid=28850 comm="snmpd" name=".rpmmacros" dev=sda2 ino=12419197 scontext=root:system_r:snmpd_t:s0 tcontext=root:object_r:user_home_t:s0 tclass=file .qa.[root@pipa02 ~]# rpm -q selinux-policy selinux-policy-2.4.6-93.el5.noarch
These types of bugs really can not be fixed well. This is just caused by the way you have the system setup. snmp does not really want to read this file, if we dontaudit this, we would be preventing the sysadm from seeing a compromized snmp trying to read the users home directory or root directory. I don't believe this would happen in the normal running of the snmp daemon, IE on normal boot, so it can be ignored.