Bug 478629 - SELinux is preventing cyrus-master (cyrus_t) "write" to master (snmpd_var_lib_t).
SELinux is preventing cyrus-master (cyrus_t) "write" to master (snmpd_var_lib...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 523548
  Show dependency treegraph
 
Reported: 2009-01-02 07:24 EST by Anthony Messina
Modified: 2010-01-19 02:09 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 523548 (view as bug list)
Environment:
Last Closed: 2010-01-18 18:10:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2009-01-02 07:24:34 EST
Using selinux-policy-targeted-3.5.13-37.fc10.noarch...

Note that I do not specify that cyrus-imapd uses snmp:
/usr/lib/cyrus-imapd/cyrus-master -d

See, no -P switch

I'm not sure what context snmpd's agentx should have is so many things are to access it: asterisk, cyrus-master, etc.  Would each service need it's own socket with it's own permissions or can multiple services read and write to/from the same snmpd socket?

Source Context                system_u:system_r:cyrus_t:s0
Target Context                system_u:object_r:snmpd_var_lib_t:s0
Target Objects                master [ sock_file ]
Source                        cyrus-master
Source Path                   /usr/lib/cyrus-imapd/cyrus-master
Port                          <Unknown>
Host                          chicago.messinet.com
Source RPM Packages           cyrus-imapd-2.3.12p2-3.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-37.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     
Platform                      Linux 
                              2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35
                              EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 02 Jan 2009 05:29:14 AM CST
Last Seen                     Fri 02 Jan 2009 05:29:14 AM CST
Local ID                      b3092c43-1fb0-4d98-ab20-af06d18b23e8
Line Numbers                  

Raw Audit Messages            

node=xxx.com type=AVC msg=audit(1230895754.46:30): avc:  denied  { write } for  pid=3060 comm="cyrus-master" name="master" dev=sdd3 ino=3603319 scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file

node=xxx.com type=AVC msg=audit(1230895754.46:30): avc:  denied  { connectto } for  pid=3060 comm="cyrus-master" path="/var/agentx/master" scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket

node=xxx.com type=SYSCALL msg=audit(1230895754.46:30): arch=c000003e syscall=42 success=yes exit=0 a0=b a1=7fff04cc7d80 a2=6e a3=7fff04cc7ac0 items=0 ppid=1 pid=3060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cyrus-master" exe="/usr/lib/cyrus-imapd/cyrus-master" subj=system_u:system_r:cyrus_t:s0 key=(null)
Comment 1 Anthony Messina 2009-01-22 12:55:52 EST
Sorry, I should have reported to selinux-policy-targeted
Comment 2 Dan Horák 2009-01-27 05:44:07 EST
cyrus-imapd is compiled with net-snmp support and it tries to register its snmp subagent during startup, so it looks to me as correct behaviour and cyrus-imapd should be allowed to connect (and use) to /var/agentx/master

I am not an expert in net-snmp, but the subagent support needs to be explicitly enabled in /etc/snmp/snmpd.conf.
Comment 3 Daniel Walsh 2009-02-02 11:47:03 EST
Miroslav you need to add

	snmp_stream_connect(cyrus_t)


########################################
## <summary>
##	Connect to snmpd using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snmp_stream_connect',`
	gen_require(`
		type snmpd_t, snmpd_var_lib_t;
	')

	files_search_var_lib($1)
	stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
')
Comment 4 Miroslav Grepl 2009-02-03 14:05:08 EST
Fixed in selinux-policy-3.5.13-42.fc10
Comment 5 Nathan Kinder 2009-09-15 17:46:26 EDT
Is there a reason that the "snmp_stream_connect" macro was not added to the policy for F11 and later?  I am writing a policy module for a SNMP subagent that communicates using agentx over a unix domain socket that could use this macro.

Please let me know if you would like a new bug opened for this, or if this bug should be reopened.
Comment 6 Miroslav Grepl 2009-09-16 08:45:37 EDT
Fixed in selinux-policy-3.6.12-83.fc11.noarch
Comment 7 Anthony Messina 2009-12-30 02:56:55 EST
Not a problem in selinux-policy-targeted-3.6.32-59.fc12.noarch (F12)

Note You need to log in before you can comment on or make changes to this bug.