Bug 745175 – selinux prevents rsyslogd to access /usr/share/snmp/mibs/.index

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 745175 - selinux prevents rsyslogd to access /usr/share/snmp/mibs/.index

Summary:	selinux prevents rsyslogd to access /usr/share/snmp/mibs/.index

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	5.7
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Karel Srot
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2011-10-11 10:48 EDT by Karel Srot
Modified:	2012-10-11 04:07 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:	selinux-policy-2.4.6-321.el5
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-02-21 00:48:20 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0158	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-02-20 09:53:50 EST

Groups: None (edit)

Description Karel Srot 2011-10-11 10:48:57 EDT

Description of problem:

This is needed because of 
Bug 601711 - [RFE] rsyslog - omsnmp module not provided

related RHEL6 bug is 727150

I have configured rsyslog to send snmp traps and I am getting various AVCs, traps are not sent.

In enforcing I got:
type=AVC msg=audit(1318343200.153:85): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318343200.153:86): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318343200.154:87): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/usr/share/snmp/mibs/.index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1318343200.154:88): avc:  denied  { write } for  pid=25191 comm="rsyslogd" name=".index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1318343200.194:89): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318343200.194:90): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir


In permissive I got just:
type=AVC msg=audit(1318342916.306:79): avc:  denied  { getattr } for  pid=24565 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318342916.307:80): avc:  denied  { search } for  pid=24565 comm="rsyslogd" name="net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318342916.307:81): avc:  denied  { getattr } for  pid=24565 comm="rsyslogd" path="/usr/share/snmp/mibs/.index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1318342916.307:82): avc:  denied  { read } for  pid=24565 comm="rsyslogd" name=".index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=USER_AVC msg=audit(1318343188.106:84): user pid=3435 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received setenforce notice (enforcing=1) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'


I don't know why rsyslog wants the write access - probably it believes that the file is deleted and tries to re-create it. 

I have used following module (without write access) and snmp traps were properly sent:

module mymod 1.0;

require {
	type snmpd_var_lib_t;
	type syslogd_t;
	class dir { getattr search };
	class file { read write getattr };
}

#============= syslogd_t ==============
allow syslogd_t snmpd_var_lib_t:dir { getattr search };
allow syslogd_t snmpd_var_lib_t:file { read getattr };
#allow syslogd_t snmpd_var_lib_t:file { read write getattr };


Version-Release number of selected component (if applicable):
tested with selinux-policy-2.4.6-317.el5
rsyslog-snmp module has to be built manually (update specfile to built this module too)

How reproducible:
always

Steps to Reproduce:
configure rsyslog to sent snmp traps and snmptrapd to receive it 
  
Actual results:
no traps sent

Expected results:
traps are properly delivered

Additional info:

Comment 1 Miroslav Grepl 2011-10-20 10:35:18 EDT

Fixed in selinux-policy-2.4.6-318.el5

Comment 4 Karel Srot 2011-12-02 07:04:01 EST

Mirek,
when running automated test today I got the write denial again.

type=SYSCALL msg=audit(1322825631.187:24): arch=40000003 syscall=5 success=no exit=-13 a0=bff1920c a1=8241 a2=1b6 a3=9431450 items=0 ppid=26267 pid=26268 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1322825631.187:24): avc:  denied  { write } for  pid=26268 comm="rsyslogd" name=".index" dev=dm-0 ino=3801430 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file

It seems that rsyslog wants to write to this file. I am not sure whether this access should be allowed or the message don't audited, though.

I was runnin -320 policy where { ioctl read getattr lock } is allowed.

Switching back to ON_QA 'till this is decided. Sorry for confusion.

Comment 5 Daniel Walsh 2011-12-02 08:23:07 EST

Probably should dontaudit

Comment 7 Miroslav Grepl 2011-12-15 08:19:32 EST

Fixed in selinux-policy-2.4.6-321.el5

Comment 9 errata-xmlrpc 2012-02-21 00:48:20 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html

Note You need to log in before you can comment on or make changes to this bug.