478629 – SELinux is preventing cyrus-master (cyrus_t) "write" to master (snmpd_var_lib_t).

Bug 478629 - SELinux is preventing cyrus-master (cyrus_t) "write" to master (snmpd_var_lib_t).

Summary: SELinux is preventing cyrus-master (cyrus_t) "write" to master (snmpd_var_lib...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	523548
TreeView+	depends on / blocked

Reported:	2009-01-02 12:24 UTC by Anthony Messina
Modified:	2010-01-19 07:09 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Clones:	523548 (view as bug list)
Environment:
Last Closed:	2010-01-18 23:10:47 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Anthony Messina 2009-01-02 12:24:34 UTC

Using selinux-policy-targeted-3.5.13-37.fc10.noarch...

Note that I do not specify that cyrus-imapd uses snmp:
/usr/lib/cyrus-imapd/cyrus-master -d

See, no -P switch

I'm not sure what context snmpd's agentx should have is so many things are to access it: asterisk, cyrus-master, etc.  Would each service need it's own socket with it's own permissions or can multiple services read and write to/from the same snmpd socket?

Source Context                system_u:system_r:cyrus_t:s0
Target Context                system_u:object_r:snmpd_var_lib_t:s0
Target Objects                master [ sock_file ]
Source                        cyrus-master
Source Path                   /usr/lib/cyrus-imapd/cyrus-master
Port                          <Unknown>
Host                          chicago.messinet.com
Source RPM Packages           cyrus-imapd-2.3.12p2-3.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-37.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     
Platform                      Linux 
                              2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35
                              EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 02 Jan 2009 05:29:14 AM CST
Last Seen                     Fri 02 Jan 2009 05:29:14 AM CST
Local ID                      b3092c43-1fb0-4d98-ab20-af06d18b23e8
Line Numbers                  

Raw Audit Messages            

node=xxx.com type=AVC msg=audit(1230895754.46:30): avc:  denied  { write } for  pid=3060 comm="cyrus-master" name="master" dev=sdd3 ino=3603319 scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file

node=xxx.com type=AVC msg=audit(1230895754.46:30): avc:  denied  { connectto } for  pid=3060 comm="cyrus-master" path="/var/agentx/master" scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket

node=xxx.com type=SYSCALL msg=audit(1230895754.46:30): arch=c000003e syscall=42 success=yes exit=0 a0=b a1=7fff04cc7d80 a2=6e a3=7fff04cc7ac0 items=0 ppid=1 pid=3060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cyrus-master" exe="/usr/lib/cyrus-imapd/cyrus-master" subj=system_u:system_r:cyrus_t:s0 key=(null)

Comment 1 Anthony Messina 2009-01-22 17:55:52 UTC

Sorry, I should have reported to selinux-policy-targeted

Comment 2 Dan Horák 2009-01-27 10:44:07 UTC

cyrus-imapd is compiled with net-snmp support and it tries to register its snmp subagent during startup, so it looks to me as correct behaviour and cyrus-imapd should be allowed to connect (and use) to /var/agentx/master

I am not an expert in net-snmp, but the subagent support needs to be explicitly enabled in /etc/snmp/snmpd.conf.

Comment 3 Daniel Walsh 2009-02-02 16:47:03 UTC

Miroslav you need to add

	snmp_stream_connect(cyrus_t)


########################################
## <summary>
##	Connect to snmpd using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snmp_stream_connect',`
	gen_require(`
		type snmpd_t, snmpd_var_lib_t;
	')

	files_search_var_lib($1)
	stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
')

Comment 4 Miroslav Grepl 2009-02-03 19:05:08 UTC

Fixed in selinux-policy-3.5.13-42.fc10

Comment 5 Nathan Kinder 2009-09-15 21:46:26 UTC

Is there a reason that the "snmp_stream_connect" macro was not added to the policy for F11 and later?  I am writing a policy module for a SNMP subagent that communicates using agentx over a unix domain socket that could use this macro.

Please let me know if you would like a new bug opened for this, or if this bug should be reopened.

Comment 6 Miroslav Grepl 2009-09-16 12:45:37 UTC

Fixed in selinux-policy-3.6.12-83.fc11.noarch

Comment 7 Anthony Messina 2009-12-30 07:56:55 UTC

Not a problem in selinux-policy-targeted-3.6.32-59.fc12.noarch (F12)

Note You need to log in before you can comment on or make changes to this bug.