This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 745175 - selinux prevents rsyslogd to access /usr/share/snmp/mibs/.index
selinux prevents rsyslogd to access /usr/share/snmp/mibs/.index
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Karel Srot
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-11 10:48 EDT by Karel Srot
Modified: 2012-10-11 04:07 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-321.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-21 00:48:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Karel Srot 2011-10-11 10:48:57 EDT
Description of problem:

This is needed because of 
Bug 601711 - [RFE] rsyslog - omsnmp module not provided

related RHEL6 bug is 727150

I have configured rsyslog to send snmp traps and I am getting various AVCs, traps are not sent.

In enforcing I got:
type=AVC msg=audit(1318343200.153:85): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318343200.153:86): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318343200.154:87): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/usr/share/snmp/mibs/.index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1318343200.154:88): avc:  denied  { write } for  pid=25191 comm="rsyslogd" name=".index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1318343200.194:89): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318343200.194:90): avc:  denied  { getattr } for  pid=25191 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir


In permissive I got just:
type=AVC msg=audit(1318342916.306:79): avc:  denied  { getattr } for  pid=24565 comm="rsyslogd" path="/var/net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318342916.307:80): avc:  denied  { search } for  pid=24565 comm="rsyslogd" name="net-snmp" dev=dm-0 ino=6422656 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1318342916.307:81): avc:  denied  { getattr } for  pid=24565 comm="rsyslogd" path="/usr/share/snmp/mibs/.index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1318342916.307:82): avc:  denied  { read } for  pid=24565 comm="rsyslogd" name=".index" dev=dm-0 ino=68282 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=USER_AVC msg=audit(1318343188.106:84): user pid=3435 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received setenforce notice (enforcing=1) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'


I don't know why rsyslog wants the write access - probably it believes that the file is deleted and tries to re-create it. 

I have used following module (without write access) and snmp traps were properly sent:

module mymod 1.0;

require {
	type snmpd_var_lib_t;
	type syslogd_t;
	class dir { getattr search };
	class file { read write getattr };
}

#============= syslogd_t ==============
allow syslogd_t snmpd_var_lib_t:dir { getattr search };
allow syslogd_t snmpd_var_lib_t:file { read getattr };
#allow syslogd_t snmpd_var_lib_t:file { read write getattr };


Version-Release number of selected component (if applicable):
tested with selinux-policy-2.4.6-317.el5
rsyslog-snmp module has to be built manually (update specfile to built this module too)

How reproducible:
always

Steps to Reproduce:
configure rsyslog to sent snmp traps and snmptrapd to receive it 
  
Actual results:
no traps sent

Expected results:
traps are properly delivered

Additional info:
Comment 1 Miroslav Grepl 2011-10-20 10:35:18 EDT
Fixed in selinux-policy-2.4.6-318.el5
Comment 4 Karel Srot 2011-12-02 07:04:01 EST
Mirek,
when running automated test today I got the write denial again.

type=SYSCALL msg=audit(1322825631.187:24): arch=40000003 syscall=5 success=no exit=-13 a0=bff1920c a1=8241 a2=1b6 a3=9431450 items=0 ppid=26267 pid=26268 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/sbin/rsyslogd" subj=root:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1322825631.187:24): avc:  denied  { write } for  pid=26268 comm="rsyslogd" name=".index" dev=dm-0 ino=3801430 scontext=root:system_r:syslogd_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file

It seems that rsyslog wants to write to this file. I am not sure whether this access should be allowed or the message don't audited, though.

I was runnin -320 policy where { ioctl read getattr lock } is allowed.

Switching back to ON_QA 'till this is decided. Sorry for confusion.
Comment 5 Daniel Walsh 2011-12-02 08:23:07 EST
Probably should dontaudit
Comment 7 Miroslav Grepl 2011-12-15 08:19:32 EST
Fixed in selinux-policy-2.4.6-321.el5
Comment 9 errata-xmlrpc 2012-02-21 00:48:20 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html

Note You need to log in before you can comment on or make changes to this bug.