Bug 523548 - SELinux is preventing cyrus-master (cyrus_t) "write" to master (snmpd_var_lib_t).
Summary: SELinux is preventing cyrus-master (cyrus_t) "write" to master (snmpd_var_lib...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.5
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On: 478629
Blocks: 523927
TreeView+ depends on / blocked
 
Reported: 2009-09-15 21:51 UTC by Nathan Kinder
Modified: 2018-02-09 10:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 478629
Environment:
Last Closed: 2010-03-30 07:50:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Nathan Kinder 2009-09-15 21:51:11 UTC
+++ This bug was initially created as a clone of Bug #478629 +++

Using selinux-policy-targeted-3.5.13-37.fc10.noarch...

Note that I do not specify that cyrus-imapd uses snmp:
/usr/lib/cyrus-imapd/cyrus-master -d

See, no -P switch

I'm not sure what context snmpd's agentx should have is so many things are to access it: asterisk, cyrus-master, etc.  Would each service need it's own socket with it's own permissions or can multiple services read and write to/from the same snmpd socket?

Source Context                system_u:system_r:cyrus_t:s0
Target Context                system_u:object_r:snmpd_var_lib_t:s0
Target Objects                master [ sock_file ]
Source                        cyrus-master
Source Path                   /usr/lib/cyrus-imapd/cyrus-master
Port                          <Unknown>
Host                          chicago.messinet.com
Source RPM Packages           cyrus-imapd-2.3.12p2-3.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-37.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     
Platform                      Linux 
                              2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35
                              EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 02 Jan 2009 05:29:14 AM CST
Last Seen                     Fri 02 Jan 2009 05:29:14 AM CST
Local ID                      b3092c43-1fb0-4d98-ab20-af06d18b23e8
Line Numbers                  

Raw Audit Messages            

node=xxx.com type=AVC msg=audit(1230895754.46:30): avc:  denied  { write } for  pid=3060 comm="cyrus-master" name="master" dev=sdd3 ino=3603319 scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file

node=xxx.com type=AVC msg=audit(1230895754.46:30): avc:  denied  { connectto } for  pid=3060 comm="cyrus-master" path="/var/agentx/master" scontext=system_u:system_r:cyrus_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket

node=xxx.com type=SYSCALL msg=audit(1230895754.46:30): arch=c000003e syscall=42 success=yes exit=0 a0=b a1=7fff04cc7d80 a2=6e a3=7fff04cc7ac0 items=0 ppid=1 pid=3060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cyrus-master" exe="/usr/lib/cyrus-imapd/cyrus-master" subj=system_u:system_r:cyrus_t:s0 key=(null)

--- Additional comment from amessina on 2009-01-22 12:55:52 EDT ---

Sorry, I should have reported to selinux-policy-targeted

--- Additional comment from dan on 2009-01-27 05:44:07 EDT ---

cyrus-imapd is compiled with net-snmp support and it tries to register its snmp subagent during startup, so it looks to me as correct behaviour and cyrus-imapd should be allowed to connect (and use) to /var/agentx/master

I am not an expert in net-snmp, but the subagent support needs to be explicitly enabled in /etc/snmp/snmpd.conf.

--- Additional comment from dwalsh on 2009-02-02 11:47:03 EDT ---

Miroslav you need to add

	snmp_stream_connect(cyrus_t)


########################################
## <summary>
##	Connect to snmpd using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snmp_stream_connect',`
	gen_require(`
		type snmpd_t, snmpd_var_lib_t;
	')

	files_search_var_lib($1)
	stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
')

--- Additional comment from mgrepl on 2009-02-03 14:05:08 EDT ---

Fixed in selinux-policy-3.5.13-42.fc10

--- Additional comment from nkinder on 2009-09-15 17:46:26 EDT ---

Is there a reason that the "snmp_stream_connect" macro was not added to the policy for F11 and later?  I am writing a policy module for a SNMP subagent that communicates using agentx over a unix domain socket that could use this macro.

Please let me know if you would like a new bug opened for this, or if this bug should be reopened.

Comment 1 Daniel Walsh 2009-09-15 21:54:24 UTC
Fixed in selinux-policy-2.4.6-258.el5

Comment 2 Scott Haines 2009-09-15 22:29:59 UTC
Proposing for 5.4.z as Directory Server v9 is targeted to release prior to RHEL5.5.

Comment 10 errata-xmlrpc 2010-03-30 07:50:28 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.