Bug 573885 - SELinux is preventing /usr/sbin/snmptrapd from connecting to port 161.
Summary: SELinux is preventing /usr/sbin/snmptrapd from connecting to port 161.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:b712e744468...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-03-16 01:47 UTC by Brian Whitehead
Modified: 2010-03-30 02:11 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.6.32-106.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 02:11:13 UTC
Type: ---


Attachments (Terms of Use)

Description Brian Whitehead 2010-03-16 01:47:43 UTC
Summary:

SELinux is preventing /usr/sbin/snmptrapd from connecting to port 161.

Detailed Description:

SELinux has denied snmptrapd from connecting to a network port 161 which does
not have an SELinux type associated with it. If snmptrapd should be allowed to
connect on 161, use the semanage command to assign 161 to a port type that
snmpd_t can connect to (agentx_port_t, ldap_port_t, dns_port_t, ocsp_port_t,
kerberos_port_t).
If snmptrapd is not supposed to connect to 161, this could signal a intrusion
attempt.

Allowing Access:

If you want to allow snmptrapd to connect to 161, you can execute
semanage port -a -t PORT_TYPE -p tcp 161
where PORT_TYPE is one of the following: agentx_port_t, ldap_port_t, dns_port_t,
ocsp_port_t, kerberos_port_t.

Additional Information:

Source Context                unconfined_u:system_r:snmpd_t:s0
Target Context                system_u:object_r:reserved_port_t:s0
Target Objects                None [ tcp_socket ]
Source                        snmptrapd
Source Path                   /usr/sbin/snmptrapd
Port                          161
Host                          (removed)
Source RPM Packages           net-snmp-5.4.2.1-19.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-89.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   connect_ports
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.22.fc12.i686 #1 SMP Fri Feb 19
                              19:26:06 UTC 2010 i686 i686
Alert Count                   23455
First Seen                    Wed 24 Feb 2010 10:31:02 PM CST
Last Seen                     Mon 01 Mar 2010 01:11:57 AM CST
Local ID                      ee6ba1b2-7b3e-43de-acc7-f24debfcd326
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1267427517.940:24406): avc:  denied  { name_connect } for  pid=26257 comm="snmptrapd" dest=161 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1267427517.940:24406): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfb85de0 a2=2f357c a3=ea5fa0 items=0 ppid=1 pid=26257 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="snmptrapd" exe="/usr/sbin/snmptrapd" subj=unconfined_u:system_r:snmpd_t:s0 key=(null)



Hash String generated from  connect_ports,snmptrapd,snmpd_t,reserved_port_t,tcp_socket,name_connect
audit2allow suggests:

#============= snmpd_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow snmpd_t reserved_port_t:tcp_socket name_connect;

Comment 1 Daniel Walsh 2010-03-16 14:30:34 UTC
Miroslav can you change the port definition to 

network_port(snmp, tcp,161,s0, udp,161,s0, tcp,162,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)

Strange that this has never happened before.

Comment 2 Miroslav Grepl 2010-03-16 14:37:01 UTC
Ok, I will change it but it is really strange.

Comment 3 Daniel Walsh 2010-03-16 16:41:26 UTC
Do you mean snmp should not be using TCP on these ports or really strange that we did not have it in policy already and it was never reported as a problem before.

Comment 4 Miroslav Grepl 2010-03-16 17:01:17 UTC
I was convinced the snmp uses UDP on these ports. But from /etc/services

snmp            161/tcp                         # Simple Net Mgmt Proto
snmp            161/udp                         # Simple Net Mgmt Proto
snmptrap        162/tcp                         # SNMPTRAP
snmptrap        162/udp         snmp-trap       # Traps for SNMP

Comment 5 Brian Whitehead 2010-03-16 17:45:46 UTC
In general, by default it does use UDP, but it can use TCP.  The RFC for this is 3430 and is still considered experimental.

Comment 6 Daniel Walsh 2010-03-16 20:11:42 UTC
Well it is legit, so we should allow it.

Comment 7 Miroslav Grepl 2010-03-18 12:40:35 UTC
Fixed in selinux-policy-3.6.32-104.fc12

Comment 8 Fedora Update System 2010-03-23 18:02:52 UTC
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 9 Fedora Update System 2010-03-24 23:30:01 UTC
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

Comment 10 Fedora Update System 2010-03-30 02:09:35 UTC
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.