Red Hat Bugzilla – Bug 478629
SELinux is preventing cyrus-master (cyrus_t) "write" to master (snmpd_var_lib_t).
Last modified: 2010-01-19 02:09:01 EST
Using selinux-policy-targeted-3.5.13-37.fc10.noarch... Note that I do not specify that cyrus-imapd uses snmp: /usr/lib/cyrus-imapd/cyrus-master -d See, no -P switch I'm not sure what context snmpd's agentx should have is so many things are to access it: asterisk, cyrus-master, etc. Would each service need it's own socket with it's own permissions or can multiple services read and write to/from the same snmpd socket? Source Context system_u:system_r:cyrus_t:s0 Target Context system_u:object_r:snmpd_var_lib_t:s0 Target Objects master [ sock_file ] Source cyrus-master Source Path /usr/lib/cyrus-imapd/cyrus-master Port <Unknown> Host chicago.messinet.com Source RPM Packages cyrus-imapd-2.3.12p2-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-37.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name Platform Linux 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Fri 02 Jan 2009 05:29:14 AM CST Last Seen Fri 02 Jan 2009 05:29:14 AM CST Local ID b3092c43-1fb0-4d98-ab20-af06d18b23e8 Line Numbers Raw Audit Messages node=xxx.com type=AVC msg=audit(1230895754.46:30): avc: denied { write } for pid=3060 comm="cyrus-master" name="master" dev=sdd3 ino=3603319 scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file node=xxx.com type=AVC msg=audit(1230895754.46:30): avc: denied { connectto } for pid=3060 comm="cyrus-master" path="/var/agentx/master" scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket node=xxx.com type=SYSCALL msg=audit(1230895754.46:30): arch=c000003e syscall=42 success=yes exit=0 a0=b a1=7fff04cc7d80 a2=6e a3=7fff04cc7ac0 items=0 ppid=1 pid=3060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cyrus-master" exe="/usr/lib/cyrus-imapd/cyrus-master" subj=system_u:system_r:cyrus_t:s0 key=(null)
Sorry, I should have reported to selinux-policy-targeted
cyrus-imapd is compiled with net-snmp support and it tries to register its snmp subagent during startup, so it looks to me as correct behaviour and cyrus-imapd should be allowed to connect (and use) to /var/agentx/master I am not an expert in net-snmp, but the subagent support needs to be explicitly enabled in /etc/snmp/snmpd.conf.
Miroslav you need to add snmp_stream_connect(cyrus_t) ######################################## ## <summary> ## Connect to snmpd using a unix domain stream socket. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`snmp_stream_connect',` gen_require(` type snmpd_t, snmpd_var_lib_t; ') files_search_var_lib($1) stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) ')
Fixed in selinux-policy-3.5.13-42.fc10
Is there a reason that the "snmp_stream_connect" macro was not added to the policy for F11 and later? I am writing a policy module for a SNMP subagent that communicates using agentx over a unix domain socket that could use this macro. Please let me know if you would like a new bug opened for this, or if this bug should be reopened.
Fixed in selinux-policy-3.6.12-83.fc11.noarch
Not a problem in selinux-policy-targeted-3.6.32-59.fc12.noarch (F12)