Bug 612823 - SELinux denial when trying to create SNMPv3 user
SELinux denial when trying to create SNMPv3 user
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Karel Srot
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-09 03:16 EDT by Erinn Looney-Triggs
Modified: 2012-10-16 07:00 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When SELinux was running in the enforcing mode, the snmpd daemon was incorrectly denied access to the /var/net-snmp/snmpd.conf configuration file. With this update, the SELinux context for the /var/net-snmp/ directory has been corrected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:49:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Erinn Looney-Triggs 2010-07-09 03:16:11 EDT
Description of problem:
SELinux will deny SNMP the ability to update the /var/net-snmp/snmpd.conf file when trying to create SNMPv3 users. Please note this has only been tested on a 5.4 system so far, I will test on a 5.5 system soon and report back.

node=humbert type=AVC msg=audit(1278658813.124:259644): avc:  denied  { getattr } for  pid=374 comm="snmpd" path="/var/net-snmp/snmpd.conf" dev=sda1 ino=2720615 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
node=humbert type=AVC msg=audit(1278658813.124:259645): avc:  denied  { rename } for  pid=374 comm="snmpd" name="snmpd.conf" dev=sda1 ino=2720615 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
node=humbert type=AVC msg=audit(1278658813.124:259646): avc:  denied  { unlink } for  pid=374 comm="snmpd" name="snmpd.0.conf" dev=sda1 ino=2720615 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file


Version-Release number of selected component (if applicable):
net-snmp-5.3.2.2-7.el5_4.2
selinux-policy-targeted-2.4.6-255.el5_4.4

How reproducible:


Steps to Reproduce:
1. Install net-snmp net-snmp-utils and net-snmp-devel
2. Make sure snmpd is stopped 
3. Create the user: sudo net-snmp-config --create-snmpv3-user -ro -a PASSWORD -X AES -A SHA USERNAME
4. Start snmpd, watch the fireworks in the audit log
  
Actual results:
SELinux denial

Expected results:
User to be created

Additional info:
Comment 1 Erinn Looney-Triggs 2010-07-09 12:59:10 EDT
Yeah I got the same result on a 5.5 system fully updated, here is the entire output of the audit log:
type=AVC msg=audit(1278694554.356:28280): avc:  denied  { read } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.455:28281): avc:  denied  { read } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.456:28282): avc:  denied  { getattr } for  pid=12186 comm="snmpd" path="/var/net-snmp/snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.456:28283): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.456:28284): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.456:28285): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28286): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28287): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28288): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28289): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28290): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28291): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28292): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28293): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28294): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28295): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.457:28296): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.458:28297): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.458:28298): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.458:28299): avc:  denied  { append } for  pid=12186 comm="snmpd" name="snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1278694554.458:28300): avc:  denied  { getattr } for  pid=12186 comm="snmpd" path="/var/net-snmp/snmpd.conf" dev=sda4 ino=7929877 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
Comment 2 Erinn Looney-Triggs 2010-07-12 13:59:15 EDT
Created service request: 2038956
Comment 3 Daniel Walsh 2010-07-12 17:36:35 EDT
restorecon -R -v /var/net-snmp

Should fix the label.

This is not a bug.
Comment 4 Erinn Looney-Triggs 2010-07-12 19:00:55 EDT
That is interesting, yes now I see the /etc/selinux/targeted/contexts/files/file_contexts where I think these labels are derived, will check that in the future to see if this is a mislabling problem. However, when I run restorecon -R -v /var/net-snmp nothing changes on some of my systems, not all of them just some. I know this isn't really salient to this bug but do you know what might cause that issue?

Thanks,
-Erinn
Comment 5 Daniel Walsh 2010-07-13 08:49:27 EDT
THe systems where nothing changes are labeled correctly.

If you destroy the directory and just create it by hand, it will be labeled incorrectly.  You can use restorecon to fix the label.  If the directory was created by rpm, it would have been labeled correctly.
Comment 6 Daniel Walsh 2010-07-13 08:49:49 EDT
If you see the label get mislabeled again please reopen the bug.
Comment 7 Erinn Looney-Triggs 2010-07-13 11:00:59 EDT
Well that is sort of the problem then, I guess restorecon does not appear to be taking this directory back to the right condition.

So:
erinn@barbarella /var $ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

This is the incorrect label it should be system_u:object_r:snmpd_var_lib_t:s0:
erinn@barbarella /var $ ls -lZd /var/net-snmp/
drwx------  root root user_u:object_r:var_t:s0         /var/net-snmp/

erinn@barbarella /var $ sudo restorecon -R -v /var/net-snmp/
erinn@barbarella /var $ ls -lZd /var/net-snmp/
drwx------  root root user_u:object_r:var_t:s0         /var/net-snmp/

It appears after further testing this out that restorecon is not working on any of my systems, and the one system that had a proper label, from the install, will not get relabled to the right label with restorecon:


erinn@cc /var $ ls -lZd net-snmp/
drwx------  root root user_u:object_r:snmpd_var_lib_t  net-snmp/
erinn@cc /var $ sudo mv net-snmp/ net-snmp.bak
erinn@cc /var $ sudo mkdir net-snmp
erinn@cc /var $ ls -lZd net-snmp
drwx------  root root user_u:object_r:var_t            net-snmp
erinn@cc /var $ sudo restorecon -R -v /var/net-snmp
erinn@cc /var $ ls -lZd /var/net-snmp
drwx------  root root user_u:object_r:var_t            /var/net-snmp

I certainly hope I am not missing something really obvious in here.
Comment 8 Daniel Walsh 2010-07-13 14:34:35 EDT
Nope.  That is correct and it is broken.

rpm -q selinux-policy
Comment 9 Erinn Looney-Triggs 2010-07-13 14:41:15 EDT
I am guessing the last line there is a request for info:

selinux-policy-2.4.6-279.el5

All my systems are at that same version except one 5.4 box. 

-Erinn
Comment 10 Daniel Walsh 2010-07-13 16:46:07 EDT
And what does 
matchpathcon /var/net-snmp
say?
Comment 11 Daniel Walsh 2010-07-13 16:46:52 EDT
If it does not say snmpd_var_lib_t could you try

yum reinstall selinux-policy-targeted 

and tell me if you see an error.
Comment 12 Erinn Looney-Triggs 2010-07-13 16:50:39 EDT
Here you go:
erinn@cc ~ $ matchpathcon /var/net-snmp
/var/net-snmp   system_u:object_r:var_t

erinn@cc ~ $ sudo yum reinstall selinux-policy-targeted 
Loaded plugins: dellsysid, rhnplugin, security
Setting up Reinstall Process
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:2.4.6-279.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                  Arch    Version           Repository             Size
================================================================================
Reinstalling:
 selinux-policy-targeted  noarch  2.4.6-279.el5     rhel-x86_64-server-5  1.2 M

Transaction Summary
================================================================================
Remove        0 Package(s)
Reinstall     1 Package(s)
Downgrade     0 Package(s)

Total download size: 1.2 M
Is this ok [y/N]: y
Downloading Packages:
selinux-policy-targeted-2.4.6-279.el5.noarch.rpm         | 1.2 MB     00:01     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : selinux-policy-targeted                                  1/1 

Installed:
  selinux-policy-targeted.noarch 0:2.4.6-279.el5                                

Complete!
erinn@cc ~ $ matchpathcon /var/net-snmp
/var/net-snmp   system_u:object_r:var_t

No error.
Comment 13 Erinn Looney-Triggs 2010-07-13 17:01:14 EDT
Interestingly one of the Red Hat support guys, Ranjith just ran restorecon on a working system and it reverted it:

[test@dhcp211-205 ~]$ sudo /sbin/restorecon -R -v /var/net-snmp
/sbin/restorecon reset /var/net-snmp context root:object_r:snmpd_var_lib_t:s0->system_u:object_r:var_t:s0

But this looks right from the file_contexts:
/var/net-snmp(/.*)      system_u:object_r:snmpd_var_lib_t:s0


Anyway, perhaps a bit more information for you. 

-Erinn
Comment 14 Daniel Walsh 2010-07-13 17:13:24 EDT
Miroslav, there is a bug in the regular expression.

should be

/var/net-snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)


You can add this label by executing

# semanage fcontext -a -t snmpd_var_lib_t '/var/net-snmp(/.*)?'
Comment 15 Daniel Walsh 2010-07-13 17:13:47 EDT
It is also broken in Fedora and RHEL6.
Comment 16 Erinn Looney-Triggs 2010-07-13 17:21:27 EDT
Dan, 
Thanks for the help. Glad we could get this figured out.

-Erinn
Comment 17 Miroslav Grepl 2010-07-22 05:25:11 EDT
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 21 Jaromir Hradilek 2011-01-05 11:16:43 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When SELinux was running in the enforcing mode, the snmpd daemon was incorrectly denied access to the /var/net-snmp/snmpd.conf configuration file. With this update, the SELinux context for the /var/net-snmp/ directory has been corrected.
Comment 23 errata-xmlrpc 2011-01-13 16:49:50 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.