Description of problem: SELinux is logging the following AVC in permissive mode: host=foo type=AVC msg=audit(1269510546.839:120364): avc: denied { write } for pid=30618 comm="snmpd" name="fd0" dev=tmpfs ino=4287 scontext=user_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file host=foo type=SYSCALL msg=audit(1269510546.839:120364): arch=c000003e syscall=2 success=yes exit=43 a0=7fff61330540 a1=800 a2=0 a3=3 items=0 ppid=1 pid=30618 auid=2811 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4303 comm="snmpd" exe="/usr/sbin/snmpd" subj=user_u:system_r:snmpd_t:s0 key=(null) Version-Release number of selected component (if applicable): net-snmp-5.3.2.2-9.el5 net-snmp-libs-5.3.2.2-9.el5 net-snmp-utils-5.3.2.2-9.el5 selinux-policy-2.4.6-271.el5 selinux-policy-targeted-2.4.6-271.el5 How reproducible: every time Steps to Reproduce: 1. setenforce 0 2. mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.ORIG 3. cat >/etc/snmp/snmpd.conf <<EOF com2sec notConfigUser default public group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser view systemview included .1.3.6.1.2.1.25 access notConfigGroup "" any noauth exact systemview none none syslocation Unknown (edit /etc/snmp/snmpd.conf) syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf) pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat EOF 4. service snmpd start 5. snmpwalk -v1 localhost -c public Actual results: AVC messages are logged in /var/log/audit/audit.log Expected results: dontaudit this problem Additional info:
Miroslav add storage_dontaudit_write_removable_device(snmpd_t)
Fixed in selinux-policy-2.4.6-281.el5.noarch
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When SELinux was configured to run in the permissive mode, and the snmpd service attempted to access removable devices, this access was denied and relevant AVC messages were written to the audit log. Since this access is not necessary for snmpd to work properly, appropriate SELinux rules have been added to prevent these denials from being logged.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html