Summary: SELinux is preventing /usr/sbin/snmptrapd from connecting to port 161. Detailed Description: SELinux has denied snmptrapd from connecting to a network port 161 which does not have an SELinux type associated with it. If snmptrapd should be allowed to connect on 161, use the semanage command to assign 161 to a port type that snmpd_t can connect to (agentx_port_t, ldap_port_t, dns_port_t, ocsp_port_t, kerberos_port_t). If snmptrapd is not supposed to connect to 161, this could signal a intrusion attempt. Allowing Access: If you want to allow snmptrapd to connect to 161, you can execute semanage port -a -t PORT_TYPE -p tcp 161 where PORT_TYPE is one of the following: agentx_port_t, ldap_port_t, dns_port_t, ocsp_port_t, kerberos_port_t. Additional Information: Source Context unconfined_u:system_r:snmpd_t:s0 Target Context system_u:object_r:reserved_port_t:s0 Target Objects None [ tcp_socket ] Source snmptrapd Source Path /usr/sbin/snmptrapd Port 161 Host (removed) Source RPM Packages net-snmp-5.4.2.1-19.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-89.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name connect_ports Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.22.fc12.i686 #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686 Alert Count 23455 First Seen Wed 24 Feb 2010 10:31:02 PM CST Last Seen Mon 01 Mar 2010 01:11:57 AM CST Local ID ee6ba1b2-7b3e-43de-acc7-f24debfcd326 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1267427517.940:24406): avc: denied { name_connect } for pid=26257 comm="snmptrapd" dest=161 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1267427517.940:24406): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfb85de0 a2=2f357c a3=ea5fa0 items=0 ppid=1 pid=26257 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="snmptrapd" exe="/usr/sbin/snmptrapd" subj=unconfined_u:system_r:snmpd_t:s0 key=(null) Hash String generated from connect_ports,snmptrapd,snmpd_t,reserved_port_t,tcp_socket,name_connect audit2allow suggests: #============= snmpd_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow snmpd_t reserved_port_t:tcp_socket name_connect;
Miroslav can you change the port definition to network_port(snmp, tcp,161,s0, udp,161,s0, tcp,162,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) Strange that this has never happened before.
Ok, I will change it but it is really strange.
Do you mean snmp should not be using TCP on these ports or really strange that we did not have it in policy already and it was never reported as a problem before.
I was convinced the snmp uses UDP on these ports. But from /etc/services snmp 161/tcp # Simple Net Mgmt Proto snmp 161/udp # Simple Net Mgmt Proto snmptrap 162/tcp # SNMPTRAP snmptrap 162/udp snmp-trap # Traps for SNMP
In general, by default it does use UDP, but it can use TCP. The RFC for this is 3430 and is still considered experimental.
Well it is legit, so we should allow it.
Fixed in selinux-policy-3.6.32-104.fc12
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.