Bug 587766 - selinux denies snmpd to read from /proc/pid/fd/*
selinux denies snmpd to read from /proc/pid/fd/*
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.3
x86_64 Linux
low Severity high
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-30 16:04 EDT by Jason
Modified: 2010-05-03 13:11 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 454024
Environment:
Last Closed: 2010-05-03 13:11:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason 2010-04-30 16:04:52 EDT
+++ This bug was initially created as a clone of Bug #454024 +++

Description of problem:

When running an snmpd daemon on a RedHat machine with IPv6 disabled, the daemon
hangs when it is queried for attributes related to IPv6. In particular, doing a
full snmpwalk will display the behaviour.


Version-Release number of selected component (if applicable):

net-snmp-5.3.1-24.el5_2.1


How reproducible:

Every time.


Steps to Reproduce:
1. Disable IPv6 on a machine, by adding these two lines to /etc/modprobe.conf:
        alias net-pf-10 off
        alias ipv6 off
2. Reboot the machine
3. Create a very basic /etc/snmp/snmpd.conf:
        rocommunity read public default
4. Start snmpd daemon:
        service snmpd start
5. Query it with snmpwalk:
        snmpwalk -v 2c -c public localhost .1


Actual results:

It will hang after TCP-MIB::tcpConnRemPort (or around that). Even after breaking
the snmpwalk with Ctrl+C, the snmpd daemon will be unresponsive and won't answer
any more queries.

On /var/log/messages you will see messages such as:

snmpd[32695]: could not open /proc/net/if_inet6
snmpd[32695]: cannot open /proc/net/snmp6
snmpd[32695]: could not open /proc/net/tcp6

You have to restart the daemon to be able to do SNMP queries again.


Expected results:

The daemon should probably detect that IPv6 is not enabled/not available and
should just skip those sessions of the MIB. Even if it logs an error, it should
certainly not hang and stop answering queries.

--- Additional comment from jsafrane@redhat.com on 2008-07-04 05:48:49 EDT ---

I can't reproduce the bug. I fixed something similar for RHEL 5.2, see bug
#444236. The snmpd indeed prints "could not open /proc/net/if_inet6", but should
recover from such errors and anything above net-snmp-5.3.1-23 should work
without IPv6 module.

Please double check that you use latest version and if it's still reproduceable,
then please provide strace of snmpd.

--- Additional comment from filbranden@gmail.com on 2008-07-04 14:44:31 EDT ---

Yes, actually it seems that the upgrade to 5.3.1-24.el5_2.1 fixed this problem.
I was confused, though, because I was seeing the same symptom (snmpwalk hanging)
and same log messages.

I went further and I saw that now what happens is that, just after restarting
snmpd, the first time I run snmpwalk, it hangs just after TCP-MIB::tcpOutRsts.0
for some seconds and actually makes snmpwalk time out. On the next tries, that
no longer happens. I saw that when it happens several lines like the ones below
are written to /var/log/audit/audit.log:

type=AVC msg=audit(1215196841.911:1218551): avc:  denied  { sys_ptrace } for 
pid=29322 comm="snmpd" capability=19 scontext=user_u:system_r:snmpd_t:s0
tcontext=user_u:system_r:snmpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1215196841.911:1218551): arch=c000003e syscall=89
success=no exit=-13 a0=7fff621bcff0 a1=7fff621be000 a2=ff a3=3 items=0 ppid=1
pid=29322 auid=1114 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="snmpd" exe="/usr/sbin/snmpd" subj=user_u:system_r:snmpd_t:s0
key=(null)

I have a 26MB strace of snmpd, please let me know if you would like me to attach
it to the bug.

Thanks,
Filipe

--- Additional comment from filbranden@gmail.com on 2008-07-04 14:58:10 EDT ---

The machine where I tested it was not 100% updated to 5.2, it was a 5.1
installation and I had just upgraded net-snmp to the latest version to see if
the problem still happened.

I just tried it on a fully updated 5.2 machine, I rebooted it before starting
the tests. I no longer have a timeout, but I continue to have some AVC messages:

type=AVC msg=audit(1215197783.247:10562): avc:  denied  { ptrace } for  pid=3060
comm="snmpd" scontext=user_u:system_r:snmpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1215197783.247:10562): arch=c000003e syscall=89
success=no exit=-13 a0=7fffb9d41330 a1=7fffb9d42340 a2=ff a3=3 items=0 ppid=1
pid=3060 auid=1114 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="snmpd" exe="/usr/sbin/snmpd"
subj=user_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1215197783.247:10563): avc:  denied  { ptrace } for  pid=3060
comm="snmpd" scontext=user_u:system_r:snmpd_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1215197783.247:10563): arch=c000003e syscall=89
success=no exit=-13 a0=7fffb9d41330 a1=7fffb9d42340 a2=ff a3=3 items=0 ppid=1
pid=3060 auid=1114 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=1 comm="snmpd" exe="/usr/sbin/snmpd"
subj=user_u:system_r:snmpd_t:s0 key=(null)

Should I be worried about this? Anyway, why would snmpd try to ptrace something?

Thanks,
Filipe

--- Additional comment from jsafrane@redhat.com on 2008-07-09 09:32:17 EDT ---

Strange, snmpd should not use ptrace, at least not directly. Anyway, I am able
to reproduce it locally and I'll look at it.

--- Additional comment from jsafrane@redhat.com on 2008-07-09 10:17:08 EDT ---

net-snmp-5.3.1-24 (i.e. from RHEL 5.1) works without SELinux denials -> setting
regression keyword

--- Additional comment from jsafrane@redhat.com on 2008-07-09 10:32:29 EDT ---

(In reply to comment #5)
> net-snmp-5.3.1-24 (i.e. from RHEL 5.1) works without SELinux denials
heh, net-snmp-5.3.1-19 is the working one (RHEL 5.1), -24 comes with RHEL 5.2
and produces the reported SELinux denials.

--- Additional comment from filbranden@gmail.com on 2008-07-09 11:26:11 EDT ---

But with net-snmp-5.3.1-24, AFAIR, I had issues on machines with IPv6 disabled.
Anyway, the "ptrace" problem seems to be less serious, since it happens only
when snmpd starts and it doesn't leave the process hung, so I prefer to live
with that one.

--- Additional comment from jsafrane@redhat.com on 2008-07-16 09:36:36 EDT ---

Use of course the version which is best working for you - the AVC is harmless.
Still, it should be fixed... It's generated when snmpd retrieves value of
TCP-MIB::tcpListenerProcess and TCP-MIB::tcpConnectionProcess, which were added
in RHEL 5.2.

--- Additional comment from jsafrane@redhat.com on 2008-07-16 09:50:42 EDT ---

Reassigning to SELinux... SELinux reports AVC when snmpd reads /proc/<pid>/fd/*,
see comment #3

--- Additional comment from dwalsh@redhat.com on 2008-07-16 12:30:24 EDT ---

Fixed in selinux-policy-2.4.6-141.el5

--- Additional comment from pm-rhel@redhat.com on 2008-07-16 12:30:50 EDT ---

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

--- Additional comment from pm-rhel@redhat.com on 2008-07-16 12:44:29 EDT ---

This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.

--- Additional comment from errata-xmlrpc@redhat.com on 2009-01-20 16:32:07 EST ---

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
snmpd will not start,
seeing this,
time->Fri Apr 30 15:58:15 2010
type=PATH msg=audit(1272657495.488:1648): item=0 name=(null) inode=126979 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
type=SOCKADDR msg=audit(1272657495.488:1648): saddr=01002F7661722F72756E2F736E6D70642E706964
type=SYSCALL msg=audit(1272657495.488:1648): arch=c000003e syscall=49 success=no exit=-13 a0=c a1=7fffaff22e40 a2=14 a3=0 items=1 ppid=1 pid=9068 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="snmpd" exe="/usr/sbin/snmpd" subj=user_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1272657495.488:1648): avc:  denied  { create } for  pid=9068 comm="snmpd" name="snmpd.pid" scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Fri Apr 30 15:58:16 2010
type=PATH msg=audit(1272657496.628:1654): item=0 name=(null) inode=126979 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
type=SOCKADDR msg=audit(1272657496.628:1654): saddr=01002F7661722F72756E2F736E6D70642E706964
type=SYSCALL msg=audit(1272657496.628:1654): arch=c000003e syscall=49 success=no exit=-13 a0=c a1=7fffc8c17b30 a2=14 a3=0 items=1 ppid=1 pid=9089 auid=10000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="snmpd" exe="/usr/sbin/snmpd" subj=user_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1272657496.628:1654): avc:  denied  { create } for  pid=9089 comm="snmpd" name="snmpd.pid" scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_run_t:s0 tclass=sock_file

Running,
net-snmp.x86_64    1:5.3.2.2-9.el5

# snmpd command line options
OPTIONS="-Ls5 -Lf /dev/null /var/run/snmpd.pid -a"

When running in Permissive,
# ls /var/run/snmpd.pid -laZ
srwxr-xr-x  root root user_u:object_r:var_run_t:s0     /var/run/snmpd.pid

And capturing this in the snmpd log,
2010-04-30T15:33:14.579448-04:00 roulin snmpd[8237]: could not open /proc/net/if_inet6
2010-04-30T15:33:14.604593-04:00 roulin snmpd[8237]: cannot open /proc/net/snmp6 ...
2010-04-30T15:33:14.705070-04:00 roulin snmpd[8237]: Error opening specified endpoint "/var/run/snmpd/"
2010-04-30T15:33:14.705124-04:00 roulin snmpd[8237]: Server Exiting with code 1
Comment 1 Jason 2010-05-03 11:28:46 EDT
Human Error .. missing -p in snmpd.options file ... please close.

Note You need to log in before you can comment on or make changes to this bug.