Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 679525

Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /var/lib/net-snmp.
Product: Red Hat Enterprise Linux 6 Reporter: Alexander Todorov <atodorov>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0CC: dwalsh, mgrepl
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-24 09:52:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
description generated by SELinux troubleshooter none

Description Alexander Todorov 2011-02-22 19:34:31 UTC 
Created attachment 480222 [details]
description generated by SELinux troubleshooter

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied the httpd access to potentially mislabeled files
/var/lib/net-snmp. This means that SELinux will not allow httpd to use these
files. If httpd should be allowed this access to these files you should change
the file context to one of the following types, httpd_var_lib_t,
httpd_var_run_t, var_lock_t, squirrelmail_spool_t, tmp_t, var_t, httpd_log_t,
tmpfs_t, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, var_lib_t, var_run_t,
httpd_squirrelmail_t, var_log_t, mnt_t, httpd_nutups_cgi_ra_content_t,
httpd_nutups_cgi_rw_content_t, httpd_squid_ra_content_t,
httpd_squid_rw_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_ra_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_sys_content_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_awstats_ra_content_t, httpd_awstats_rw_content_t,
httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, root_t,
httpd_user_ra_content_t, httpd_user_rw_content_t, httpdcontent,
httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t,
httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_ra_content_t,
httpd_nagios_rw_content_t. Many third party apps install html files in
directories that SELinux policy cannot predict. These directories have to be
labeled with a file context which httpd can access.
Comment 1 Miroslav Grepl 2011-02-23 12:22:00 UTC 
What is your version of selinux-policy? So you are seeing

allow httpd_t snmpd_var_lib_t:dir { write create add_name };

Could you add raw audit msgs from /var/log/audit/audit.log.

Do you use a snmp apache module?
Comment 2 Alexander Todorov 2011-02-23 13:19:24 UTC 
(In reply to comment #1)
> What is your version of selinux-policy? So you are seeing
> 

See the attached XML file for full information. 

selinux-policy-3.7.19-54.el6_0.3.noarch

> allow httpd_t snmpd_var_lib_t:dir { write create add_name };
> 
> Could you add raw audit msgs from /var/log/audit/audit.log.
> 

type=AVC msg=audit(1298402602.297:29718): avc:  denied  { write } for  pid=8840 comm="httpd" name="net-snmp" dev=dm-2 ino=414212 scontext=unconfined_u:system_r:httpd_t:s0 t
context=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1298402602.297:29718): avc:  denied  { add_name } for  pid=8840 comm="httpd" name="mib_indexes" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system
_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1298402602.297:29718): avc:  denied  { create } for  pid=8840 comm="httpd" name="mib_indexes" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfin
ed_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298402602.297:29718): arch=40000003 syscall=39 success=yes exit=0 a0=bfadcc1c a1=1c0 a2=16a7cd8 a3=0 items=0 ppid=1 pid=8840 auid=500 uid=0 gid=0 eu
id=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1298402602.299:29719): avc:  denied  { write } for  pid=8840 comm="httpd" name="mib_indexes" dev=dm-2 ino=454221 scontext=unconfined_u:system_r:httpd_t:s
0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1298402602.299:29719): avc:  denied  { add_name } for  pid=8840 comm="httpd" name="0" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:obj
ect_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1298402602.299:29719): avc:  denied  { create } for  pid=8840 comm="httpd" name="0" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:objec
t_r:snmpd_var_lib_t:s0 tclass=file




> Do you use a snmp apache module?

I don't think so. There's no sign of this module in my httpd.conf and I don't r
remember installing it. 

Here are all related snmp packages installed on the system:

$ rpm -qa | grep snmp
php-snmp-5.3.2-6.el6_0.1.i686
net-snmp-5.5-27.el6_0.1.i686
net-snmp-devel-5.5-27.el6_0.1.i686
net-snmp-libs-5.5-27.el6_0.1.i686
Comment 3 Miroslav Grepl 2011-02-23 13:55:12 UTC 
Are you seeing this issue in enforcing mode? We have some dontaudit rules for this.
Comment 4 Alexander Todorov 2011-02-23 14:18:10 UTC 
I haven't seen this before and I've switched to Permissive mode just recently.
Comment 5 Miroslav Grepl 2011-02-23 19:09:08 UTC 
Any reason why you switched to permissive mode? Do you have any other problem?
Comment 6 Daniel Walsh 2011-02-23 21:01:20 UTC 
You will not see these in enforcing so I think we can close this bug.
Comment 7 Miroslav Grepl 2011-02-24 09:52:40 UTC 
I think also.
Comment 8 Alexander Todorov 2011-02-24 13:47:00 UTC 
(In reply to comment #5)
> Any reason why you switched to permissive mode? 

I was testing some 3rd party software which doesn't work with SELinux in enforcing mode. 

> Do you have any other problem?

Nope. Just reported the bug because it poped up in SELinux troubleshooter.
Comment 9 Daniel Walsh 2011-02-24 18:12:10 UTC 
Please report the 3rd party tool and we can work on making it work with SELinux in enforcing mode.