Bug 454024 - selinux denies snmpd to read from /proc/pid/fd/*
Summary: selinux denies snmpd to read from /proc/pid/fd/*
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.2
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-03 21:04 UTC by Filipe Brandenburger
Modified: 2012-10-16 08:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 587766 (view as bug list)
Environment:
Last Closed: 2009-01-20 21:32:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0163 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2009-01-20 16:05:21 UTC

Description Filipe Brandenburger 2008-07-03 21:04:02 UTC 
Description of problem:

When running an snmpd daemon on a RedHat machine with IPv6 disabled, the daemon
hangs when it is queried for attributes related to IPv6. In particular, doing a
full snmpwalk will display the behaviour.


Version-Release number of selected component (if applicable):

net-snmp-5.3.1-24.el5_2.1


How reproducible:

Every time.


Steps to Reproduce:
1. Disable IPv6 on a machine, by adding these two lines to /etc/modprobe.conf:
        alias net-pf-10 off
        alias ipv6 off
2. Reboot the machine
3. Create a very basic /etc/snmp/snmpd.conf:
        rocommunity read public default
4. Start snmpd daemon:
        service snmpd start
5. Query it with snmpwalk:
        snmpwalk -v 2c -c public localhost .1


Actual results:

It will hang after TCP-MIB::tcpConnRemPort (or around that). Even after breaking
the snmpwalk with Ctrl+C, the snmpd daemon will be unresponsive and won't answer
any more queries.

On /var/log/messages you will see messages such as:

snmpd[32695]: could not open /proc/net/if_inet6
snmpd[32695]: cannot open /proc/net/snmp6
snmpd[32695]: could not open /proc/net/tcp6

You have to restart the daemon to be able to do SNMP queries again.


Expected results:

The daemon should probably detect that IPv6 is not enabled/not available and
should just skip those sessions of the MIB. Even if it logs an error, it should
certainly not hang and stop answering queries.
Comment 1 Jan Safranek 2008-07-04 09:48:49 UTC 
I can't reproduce the bug. I fixed something similar for RHEL 5.2, see bug
#444236. The snmpd indeed prints "could not open /proc/net/if_inet6", but should
recover from such errors and anything above net-snmp-5.3.1-23 should work
without IPv6 module.

Please double check that you use latest version and if it's still reproduceable,
then please provide strace of snmpd.
Comment 2 Filipe Brandenburger 2008-07-04 18:44:31 UTC 
Yes, actually it seems that the upgrade to 5.3.1-24.el5_2.1 fixed this problem.
I was confused, though, because I was seeing the same symptom (snmpwalk hanging)
and same log messages.

I went further and I saw that now what happens is that, just after restarting
snmpd, the first time I run snmpwalk, it hangs just after TCP-MIB::tcpOutRsts.0
for some seconds and actually makes snmpwalk time out. On the next tries, that
no longer happens. I saw that when it happens several lines like the ones below
are written to /var/log/audit/audit.log:

type=AVC msg=audit(1215196841.911:1218551): avc:  denied  { sys_ptrace } for 
pid=29322 comm="snmpd" capability=19 scontext=user_u:system_r:snmpd_t:s0
tcontext=user_u:system_r:snmpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1215196841.911:1218551): arch=c000003e syscall=89
success=no exit=-13 a0=7fff621bcff0 a1=7fff621be000 a2=ff a3=3 items=0 ppid=1
pid=29322 auid=1114 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="snmpd" exe="/usr/sbin/snmpd" subj=user_u:system_r:snmpd_t:s0
key=(null)

I have a 26MB strace of snmpd, please let me know if you would like me to attach
it to the bug.

Thanks,
Filipe
Comment 3 Filipe Brandenburger 2008-07-04 18:58:10 UTC 
The machine where I tested it was not 100% updated to 5.2, it was a 5.1
installation and I had just upgraded net-snmp to the latest version to see if
the problem still happened.

I just tried it on a fully updated 5.2 machine, I rebooted it before starting
the tests. I no longer have a timeout, but I continue to have some AVC messages:

type=AVC msg=audit(1215197783.247:10562): avc:  denied  { ptrace } for  pid=3060
comm="snmpd" scontext=user_u:system_r:snmpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1215197783.247:10562): arch=c000003e syscall=89
success=no exit=-13 a0=7fffb9d41330 a1=7fffb9d42340 a2=ff a3=3 items=0 ppid=1
pid=3060 auid=1114 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="snmpd" exe="/usr/sbin/snmpd"
subj=user_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1215197783.247:10563): avc:  denied  { ptrace } for  pid=3060
comm="snmpd" scontext=user_u:system_r:snmpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1215197783.247:10563): arch=c000003e syscall=89
success=no exit=-13 a0=7fffb9d41330 a1=7fffb9d42340 a2=ff a3=3 items=0 ppid=1
pid=3060 auid=1114 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="snmpd" exe="/usr/sbin/snmpd"
subj=user_u:system_r:snmpd_t:s0 key=(null)

Should I be worried about this? Anyway, why would snmpd try to ptrace something?

Thanks,
Filipe
Comment 4 Jan Safranek 2008-07-09 13:32:17 UTC 
Strange, snmpd should not use ptrace, at least not directly. Anyway, I am able
to reproduce it locally and I'll look at it.
Comment 5 Jan Safranek 2008-07-09 14:17:08 UTC 
net-snmp-5.3.1-24 (i.e. from RHEL 5.1) works without SELinux denials -> setting
regression keyword
Comment 6 Jan Safranek 2008-07-09 14:32:29 UTC 
(In reply to comment #5)
> net-snmp-5.3.1-24 (i.e. from RHEL 5.1) works without SELinux denials
heh, net-snmp-5.3.1-19 is the working one (RHEL 5.1), -24 comes with RHEL 5.2
and produces the reported SELinux denials.
Comment 7 Filipe Brandenburger 2008-07-09 15:26:11 UTC 
But with net-snmp-5.3.1-24, AFAIR, I had issues on machines with IPv6 disabled.
Anyway, the "ptrace" problem seems to be less serious, since it happens only
when snmpd starts and it doesn't leave the process hung, so I prefer to live
with that one.
Comment 8 Jan Safranek 2008-07-16 13:36:36 UTC 
Use of course the version which is best working for you - the AVC is harmless.
Still, it should be fixed... It's generated when snmpd retrieves value of
TCP-MIB::tcpListenerProcess and TCP-MIB::tcpConnectionProcess, which were added
in RHEL 5.2.
Comment 9 Jan Safranek 2008-07-16 13:50:42 UTC 
Reassigning to SELinux... SELinux reports AVC when snmpd reads /proc/<pid>/fd/*,
see comment #3
Comment 11 Daniel Walsh 2008-07-16 16:30:24 UTC 
Fixed in selinux-policy-2.4.6-141.el5
Comment 12 RHEL Program Management 2008-07-16 16:30:50 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 13 RHEL Program Management 2008-07-16 16:44:29 UTC 
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.
Comment 18 errata-xmlrpc 2009-01-20 21:32:07 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html
Note You need to log in before you can comment on or make changes to this bug.