Description of problem: snmptrapd requires write access to /tmp/snmpdXXXXXX when using traphandlers. This can be defined through NETSNMP_TEMP_FILE_PATTERN. I suggest creating a new context for these files as well as a context for executing the external traphandlers. I also see that the "self:udp_socket connect" context must be allowed as well. This I do not completely understand. How reproducible: Very Steps to Reproduce: 1. SELinux set to enforcing 2. Create traphandler in /etc/snmp/snmptrapd.conf 3. Send trap to snmptrapd that will be executed by traphandler 4. Review audit log
Created attachment 275641 [details] audit log
Please ignore traphandler.pl in the log, focus on snmptrapd.
Daemons should not be using /tmp for anything. /tmp is for users. /var/run is for daemons. /tmp can be attacked by a user. /var/run can not. So smpmtrapd should be setup to write its temp files to /var/run. If it needs to have the temporary files survive a reboot it should use /var/cache.
Good point, I'll put it there. Thanks!
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0376.html