Red Hat Bugzilla – Bug 401211
snmptrapd when using traphandlers defaults to /tmp for temp files, breaks selinux rules
Last modified: 2008-05-21 11:42:13 EDT
Description of problem:
snmptrapd requires write access to /tmp/snmpdXXXXXX when using traphandlers.
This can be defined through NETSNMP_TEMP_FILE_PATTERN.
I suggest creating a new context for these files as well as a context for
executing the external traphandlers.
I also see that the "self:udp_socket connect" context must be allowed as well.
This I do not completely understand.
Steps to Reproduce:
1. SELinux set to enforcing
2. Create traphandler in /etc/snmp/snmptrapd.conf
3. Send trap to snmptrapd that will be executed by traphandler
4. Review audit log
Created attachment 275641 [details]
Please ignore traphandler.pl in the log, focus on snmptrapd.
Daemons should not be using /tmp for anything. /tmp is for users.
/var/run is for daemons.
/tmp can be attacked by a user.
/var/run can not.
So smpmtrapd should be setup to write its temp files to /var/run. If it needs
to have the temporary files survive a reboot it should use /var/cache.
Good point, I'll put it there. Thanks!
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.