Bug 727150 - selinux prevents rsyslogd to access snmpd_var_lib_t
Summary: selinux prevents rsyslogd to access snmpd_var_lib_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-01 12:48 UTC by Karel Srot
Modified: 2011-12-06 10:10 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-106.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:10:11 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Karel Srot 2011-08-01 12:48:11 UTC 
Description of problem:

rsyslog module omsnmp (send log messages as snmp traps) will be added in RHEL6.2 (bz 618488). This functionality doesn't work because selinux prevents rsyslog to acces /var/lib/net-snmp.

This is fixed with:

# cat mymod.te

module mymod 1.0;

require {
	type snmpd_var_lib_t;
	type syslogd_t;
	class dir { read getattr open search };
	class file { read getattr open };
}

#============= syslogd_t ==============
allow syslogd_t snmpd_var_lib_t:dir { read getattr open search };
allow syslogd_t snmpd_var_lib_t:file { read getattr open };


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch

How reproducible:
always

Steps to Reproduce:
ATM omsnmp.so module is not built as a part of rsyslog package. You need to udpate rsyslog SPEC file with --enable-snmp to build this module.
After reinstallation of rsyslog configure rsyslog to send snmp traps to snmptrapd.


  
Actual results:
AVC messages during rsyslog start

Expected results:
no AVC, rsyslog sents traps

Additional info:

# grep -i avc /var/log/audit/audit.log
type=AVC msg=audit(1312202141.511:42582): avc:  denied  { getattr } for  pid=11995 comm="rsyslogd" path="/var/lib/net-snmp" dev=sda4 ino=661467 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1312202141.511:42583): avc:  denied  { search } for  pid=11995 comm="rsyslogd" name="net-snmp" dev=sda4 ino=661467 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1312202141.512:42584): avc:  denied  { read } for  pid=11995 comm="rsyslogd" name="mib_indexes" dev=sda4 ino=660458 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1312202141.512:42584): avc:  denied  { open } for  pid=11995 comm="rsyslogd" name="mib_indexes" dev=sda4 ino=660458 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1312202141.512:42585): avc:  denied  { read } for  pid=11995 comm="rsyslogd" name="0" dev=sda4 ino=661355 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1312202141.512:42585): avc:  denied  { open } for  pid=11995 comm="rsyslogd" name="0" dev=sda4 ino=661355 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1312202141.512:42586): avc:  denied  { getattr } for  pid=11995 comm="rsyslogd" path="/var/lib/net-snmp/mib_indexes/0" dev=sda4 ino=661355 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
Comment 2 Miroslav Grepl 2011-08-01 13:00:53 UTC 
Karel,
good catch. Thanks.
Comment 3 Miroslav Grepl 2011-08-02 06:44:29 UTC 
Fixed in selinux-policy-3.7.19-106.el6
Comment 6 Karel Srot 2011-08-22 13:55:52 UTC 
I confirm this is fixed with selinux-policy-3.7.19-107.el6.noarch
Comment 8 errata-xmlrpc 2011-12-06 10:10:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html
Note You need to log in before you can comment on or make changes to this bug.