Bug 523773 - SELinux prevents snmpd from listening on agentx_port_t sockets
Summary: SELinux prevents snmpd from listening on agentx_port_t sockets
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.5
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On: 523516
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-16 16:10 UTC by Nathan Kinder
Modified: 2012-10-15 14:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 523516
Environment:
Last Closed: 2010-03-30 07:50:11 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Nathan Kinder 2009-09-16 16:10:17 UTC
+++ This bug was initially created as a clone of Bug #523516 +++

If you configure snmpd to listen on tcp or udp for agentx subagents, an AVC similar to the following occurs:

type=AVC msg=audit(1253041370.420:31047): avc:  denied  { name_bind } for  pid=4153 comm="snmpd" src=705 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1253041370.420:31047): arch=c000003e syscall=49 success=no exit=-2037915688 a0=7 a1=7fffd27cbfc0 a2=10 a3=7fffd27cbf8c items=0 ppid=1 pid=4153 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="snmpd" exe="/usr/sbin/snmpd" subj=unconfined_u:system_r:snmpd_t:s0 key=(null)

The snmpd daemon needs to be able to listen on the agentx port.  The seems that the following should be added to snmp.te:

corenet_tcp_bind_agentx_port(snmpd_t)
corenet_udp_bind_agentx_port(snmpd_t)

--- Additional comment from dwalsh on 2009-09-15 15:34:36 EDT ---

If you say it is legitimate, it is good enough for me.

Miroslav add these lines.

--- Additional comment from nkinder on 2009-09-15 19:33:10 EDT ---

One other thing that I just noticed is that snmptrapd is not allowed to communicate over agentx using a unix domain socket.  We need to add the following in addition to the macros I mentioned above:

    snmp_stream_connect(snmpd_t)

Note that this requires this macro to be available, which it is not on certain Fedora versions.  This would require bug 478629 to be addressed.

--- Additional comment from mgrepl on 2009-09-16 08:40:42 EDT ---

Fixed in selinux-policy-3.6.12-83.fc11.noarch

Comment 1 Daniel Walsh 2009-09-16 16:25:07 UTC
Fixed in selinux-policy-2.4.6-258.el5

Comment 2 Scott Haines 2009-09-16 17:03:58 UTC
Providing pm_ack.

Comment 9 errata-xmlrpc 2010-03-30 07:50:11 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.