Description of problem: SELinux is preventing snmpd (snmpd_t) "read" to pipe (crond_t) as daemon is restarted during nightly logrotate. Version-Release number of selected component (if applicable): net-snmp & libs: 5.3.1-24.el5_2.1 selinux-policy-targeted: 2.4.6-137.1.el5_2 How reproducible: Steps to Reproduce: 1. Enable snmpd logging by creating the file /etc/snmp/snmpd.options with the following content. (By default snmpd does not write a log file): OPTIONS="-Lsd -Lf /var/log/snmpd.log -p /var/run/snmpd.pid -a" 2. Enable and start the snmpd service. (By default snmpd is not enabled): # chkconfig snmpd on # service snmpd start 3.(optional for debugging) Add this line to /etc/crontab so that logs are rotated every 5 minutes for debugging purposes: */5 * * * * root /usr/bin/logrotate -f /etc/logrotate.conf Actual results: AVC denial: SELinux is preventing snmpd (snmpd_t) "read" to pipe (crond_t) Expected results: no AVC denials; Additional info:
Another anomoly: - snmpd starts up with context system_u:system_r:snmpd_t when system boots. - after the logrotate it's running with context user_u:system_r:snmpd_t I haven't seen any ill effects, but it's odd to see maintenance operations changing process contexts.
Not sure if the component is net-snmp or selinux-policy-targeted but will go with the latter...
Fixed in selinux-policy-2.4.6-155.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html