Bug 579547 - dontaudit snmpd_t write to removable_device_t
Summary: dontaudit snmpd_t write to removable_device_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-05 19:48 UTC by Jeff Bastian
Modified: 2018-11-14 20:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When SELinux was configured to run in the permissive mode, and the snmpd service attempted to access removable devices, this access was denied and relevant AVC messages were written to the audit log. Since this access is not necessary for snmpd to work properly, appropriate SELinux rules have been added to prevent these denials from being logged.
Clone Of:
Environment:
Last Closed: 2011-01-13 21:49:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Jeff Bastian 2010-04-05 19:48:37 UTC 
Description of problem:
SELinux is logging the following AVC in permissive mode:

host=foo type=AVC msg=audit(1269510546.839:120364): avc:  denied  { write } for  pid=30618 comm="snmpd" name="fd0" dev=tmpfs ino=4287 scontext=user_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file

host=foo type=SYSCALL msg=audit(1269510546.839:120364): arch=c000003e syscall=2 success=yes exit=43 a0=7fff61330540 a1=800 a2=0 a3=3 items=0 ppid=1 pid=30618 auid=2811 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4303 comm="snmpd" exe="/usr/sbin/snmpd" subj=user_u:system_r:snmpd_t:s0 key=(null)


Version-Release number of selected component (if applicable):
net-snmp-5.3.2.2-9.el5
net-snmp-libs-5.3.2.2-9.el5
net-snmp-utils-5.3.2.2-9.el5
selinux-policy-2.4.6-271.el5
selinux-policy-targeted-2.4.6-271.el5

How reproducible:
every time

Steps to Reproduce:
1. setenforce 0
2. mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.ORIG
3. cat >/etc/snmp/snmpd.conf <<EOF
com2sec notConfigUser  default       public
group   notConfigGroup v1           notConfigUser
group   notConfigGroup v2c           notConfigUser
view    systemview    included .1.3.6.1.2.1.25
access  notConfigGroup ""      any       noauth    exact  systemview none none
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
EOF
4. service snmpd start
5. snmpwalk -v1 localhost -c public
  
Actual results:
AVC messages are logged in /var/log/audit/audit.log

Expected results:
dontaudit this problem

Additional info:
Comment 3 Daniel Walsh 2010-04-06 13:03:54 UTC 
Miroslav add

storage_dontaudit_write_removable_device(snmpd_t)
Comment 10 Miroslav Grepl 2010-07-22 09:28:08 UTC 
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 13 Jaromir Hradilek 2011-01-05 16:13:48 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When SELinux was configured to run in the permissive mode, and the snmpd service attempted to access removable devices, this access was denied and relevant AVC messages were written to the audit log. Since this access is not necessary for snmpd to work properly, appropriate SELinux rules have been added to prevent these denials from being logged.
Comment 15 errata-xmlrpc 2011-01-13 21:49:05 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html
Note You need to log in before you can comment on or make changes to this bug.