+++ This bug was initially created as a clone of Bug #523516 +++ If you configure snmpd to listen on tcp or udp for agentx subagents, an AVC similar to the following occurs: type=AVC msg=audit(1253041370.420:31047): avc: denied { name_bind } for pid=4153 comm="snmpd" src=705 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1253041370.420:31047): arch=c000003e syscall=49 success=no exit=-2037915688 a0=7 a1=7fffd27cbfc0 a2=10 a3=7fffd27cbf8c items=0 ppid=1 pid=4153 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="snmpd" exe="/usr/sbin/snmpd" subj=unconfined_u:system_r:snmpd_t:s0 key=(null) The snmpd daemon needs to be able to listen on the agentx port. The seems that the following should be added to snmp.te: corenet_tcp_bind_agentx_port(snmpd_t) corenet_udp_bind_agentx_port(snmpd_t) --- Additional comment from dwalsh on 2009-09-15 15:34:36 EDT --- If you say it is legitimate, it is good enough for me. Miroslav add these lines. --- Additional comment from nkinder on 2009-09-15 19:33:10 EDT --- One other thing that I just noticed is that snmptrapd is not allowed to communicate over agentx using a unix domain socket. We need to add the following in addition to the macros I mentioned above: snmp_stream_connect(snmpd_t) Note that this requires this macro to be available, which it is not on certain Fedora versions. This would require bug 478629 to be addressed. --- Additional comment from mgrepl on 2009-09-16 08:40:42 EDT --- Fixed in selinux-policy-3.6.12-83.fc11.noarch
Fixed in selinux-policy-2.4.6-258.el5
Providing pm_ack.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html