Bug 739896 - Snmpd isn't allowed to tell systemd it is up and running
Summary: Snmpd isn't allowed to tell systemd it is up and running
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 16
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-20 11:13 UTC by Göran Uddeborg
Modified: 2011-10-09 19:35 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.10.0-38.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-09 19:35:15 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Additional messages issued by snmpd (4.70 KB, application/octet-stream)
2011-09-20 11:13 UTC, Göran Uddeborg 		no flags Details
View All

Description Göran Uddeborg 2011-09-20 11:13:14 UTC 
Created attachment 524001 [details]
Additional messages issued by snmpd

Description of problem:
When I try to start up snmpd with "systemctl start snmpd.service", the command hangs for a while, and then says the job failed.

I see one AVC after the attempt:

time->Tue Sep 20 13:04:33 2011
type=SYSCALL msg=audit(1316516673.513:6358): arch=c000003e syscall=46 success=no exit=-13 a0=b a1=7fffe27a2c90 a2=4000 a3=7fffe27a2a10 items=0 ppid=1 pid=16675 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snmpd" exe="/usr/sbin/snmpd" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1316516673.513:6358): avc:  denied  { write } for  pid=16675 comm="snmpd" name="notify" dev=tmpfs ino=7734 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file

The "notify" sock_file it tries to talk to apparently is /var/run/systemd/notify; it has inode number 7734.  The "type" in snmpd.service is "notify", and in /var/log/messages there are these messages:

Sep 20 13:06:01 mimmi systemd[1]: snmpd.service operation timed out. Terminating.
Sep 20 13:06:01 mimmi snmpd[16675]: Received TERM or STOP signal...  shutting down...
Sep 20 13:06:01 mimmi systemd[1]: Unit snmpd.service entered failed state.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-28.fc16.noarch
net-snmp-5.7-6.fc16.x86_64
systemd-35-1.fc16.x86_64


How reproducible:
Every time

Steps to Reproduce:
1. systemctl start snmpd.service
  
Actual results:
Job failed. See system logs and 'systemctl status' for details.

Expected results:
Snmpd up and running.

Additional info:
There are additional messages from snmpd in /var/log/messages.  I don't BELIEVE these are the reason for the problems.  If I start snmpd from the command line, these messages also show up, but snmpd seems to work anyway.  But just in case, I attach those messages too.
Comment 1 Miroslav Grepl 2011-09-20 11:36:57 UTC 
Fixed in selinux-policy-targeted-3.10.0-31.fc16.noarch
Comment 2 Daniel Walsh 2011-09-20 15:53:16 UTC 
Miroslav I think we should add this for all init domains.
Comment 3 Miroslav Grepl 2011-09-22 10:42:03 UTC 
Yes, this is needed.
Comment 4 Fedora Update System 2011-10-04 11:16:09 UTC 
selinux-policy-3.10.0-36.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
Comment 5 Fedora Update System 2011-10-04 20:48:45 UTC 
Package selinux-policy-3.10.0-36.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-36.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-36.fc16
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2011-10-09 19:35:15 UTC 
selinux-policy-3.10.0-38.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.