+++ This bug was initially created as a clone of Bug #478629 +++ Using selinux-policy-targeted-3.5.13-37.fc10.noarch... Note that I do not specify that cyrus-imapd uses snmp: /usr/lib/cyrus-imapd/cyrus-master -d See, no -P switch I'm not sure what context snmpd's agentx should have is so many things are to access it: asterisk, cyrus-master, etc. Would each service need it's own socket with it's own permissions or can multiple services read and write to/from the same snmpd socket? Source Context system_u:system_r:cyrus_t:s0 Target Context system_u:object_r:snmpd_var_lib_t:s0 Target Objects master [ sock_file ] Source cyrus-master Source Path /usr/lib/cyrus-imapd/cyrus-master Port <Unknown> Host chicago.messinet.com Source RPM Packages cyrus-imapd-2.3.12p2-3.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.13-37.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name Platform Linux 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Fri 02 Jan 2009 05:29:14 AM CST Last Seen Fri 02 Jan 2009 05:29:14 AM CST Local ID b3092c43-1fb0-4d98-ab20-af06d18b23e8 Line Numbers Raw Audit Messages node=xxx.com type=AVC msg=audit(1230895754.46:30): avc: denied { write } for pid=3060 comm="cyrus-master" name="master" dev=sdd3 ino=3603319 scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file node=xxx.com type=AVC msg=audit(1230895754.46:30): avc: denied { connectto } for pid=3060 comm="cyrus-master" path="/var/agentx/master" scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket node=xxx.com type=SYSCALL msg=audit(1230895754.46:30): arch=c000003e syscall=42 success=yes exit=0 a0=b a1=7fff04cc7d80 a2=6e a3=7fff04cc7ac0 items=0 ppid=1 pid=3060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cyrus-master" exe="/usr/lib/cyrus-imapd/cyrus-master" subj=system_u:system_r:cyrus_t:s0 key=(null) --- Additional comment from amessina on 2009-01-22 12:55:52 EDT --- Sorry, I should have reported to selinux-policy-targeted --- Additional comment from dan on 2009-01-27 05:44:07 EDT --- cyrus-imapd is compiled with net-snmp support and it tries to register its snmp subagent during startup, so it looks to me as correct behaviour and cyrus-imapd should be allowed to connect (and use) to /var/agentx/master I am not an expert in net-snmp, but the subagent support needs to be explicitly enabled in /etc/snmp/snmpd.conf. --- Additional comment from dwalsh on 2009-02-02 11:47:03 EDT --- Miroslav you need to add snmp_stream_connect(cyrus_t) ######################################## ## <summary> ## Connect to snmpd using a unix domain stream socket. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`snmp_stream_connect',` gen_require(` type snmpd_t, snmpd_var_lib_t; ') files_search_var_lib($1) stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) ') --- Additional comment from mgrepl on 2009-02-03 14:05:08 EDT --- Fixed in selinux-policy-3.5.13-42.fc10 --- Additional comment from nkinder on 2009-09-15 17:46:26 EDT --- Is there a reason that the "snmp_stream_connect" macro was not added to the policy for F11 and later? I am writing a policy module for a SNMP subagent that communicates using agentx over a unix domain socket that could use this macro. Please let me know if you would like a new bug opened for this, or if this bug should be reopened.
Fixed in selinux-policy-2.4.6-258.el5
Proposing for 5.4.z as Directory Server v9 is targeted to release prior to RHEL5.5.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html