Bug 770599 - Snmpd is denied access to the directory dev_snmp6
Summary: Snmpd is denied access to the directory dev_snmp6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-27 22:41 UTC by Göran Uddeborg
Modified: 2012-01-11 06:17 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.10.0-71.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-11 06:17:55 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Göran Uddeborg 2011-12-27 22:41:27 UTC 
Description of problem:
After a recent upgrade, I started to get warnings from setroubleshoot that snmpd tried to read a directory dev_snmp6 in the /proc filesystem, but was denied.  This seems to be a directory that exists for each process, and contains information about the various network interfaces.  From the name of directory, I suspect it would make sense for the SNMP daemon to be able to read it, why I assign this bug to selinux-policy and not net-snmp.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-69.fc16.noarch
net-snmp-5.7.1-2.fc16.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Install the above packages
2. Start the snmpd daemon
  
Actual results:
This AVC:

type=AVC msg=audit(1325023495.690:79): avc:  denied  { read } for  pid=887 comm="snmpd" name="dev_snmp6" dev=proc ino=4026532108 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
Comment 1 Daniel Walsh 2011-12-29 18:01:36 UTC 
Looks like this is fixed in selinux-policy-3.10.0-69.fc16
Comment 2 Göran Uddeborg 2011-12-29 20:38:18 UTC 
Fixed in selinux-policy-3.10.0-69.fc16?  But that is the one I am using.  The policy was one of the packages I upgraded, when this started to happen.  (net-snmp was another one.)
Comment 3 Neil Squires 2011-12-30 22:27:37 UTC 
This error message started appearing on my systems running snmpd following an selinux policy updates:

selinux-policy.noarch 0:3.10.0-69.fc16
selinux-policy-targeted.noarch 0:3.10.0-69.fc16

That was done at 1:13 am 31 Dec 2011 (+10 UTC).


Dec 31 01:12:38 vpn yum[22133]: Updated: xulrunner-9.0.1-1.fc16.x86_64
Dec 31 01:13:00 vpn yum[22133]: Updated: selinux-policy-3.10.0-69.fc16.noarch
Dec 31 01:13:43 vpn dbus[13079]: avc:  received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus[848]: avc:  received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus[1921]: avc:  received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus[1922]: avc:  received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus[848]: [system] Reloaded configuration
Dec 31 01:13:43 vpn dbus-daemon[848]: dbus[848]: avc:  received policyload notice (seqno=7)
Dec 31 01:13:43 vpn dbus-daemon[848]: dbus[848]: [system] Reloaded configuration
Dec 31 01:13:45 vpn yum[22133]: Updated: selinux-policy-targeted-3.10.0-69.fc16.noarch
Dec 31 01:13:49 vpn yum[22133]: Updated: firefox-9.0.1-1.fc16.x86_64
Dec 31 01:14:06 vpn setroubleshoot: Deleting alert d8292dce-1db6-4425-960a-d82a741a0425, it is allowed in current policy
Dec 31 01:14:07 vpn setroubleshoot: SELinux is preventing /usr/sbin/snmpd from read access on the directory dev_snmp6. For complete SELinux messages. run sealert -l 308fcc56-c752-4bc2-8778-fabf40020b30



 sealert -l 308fcc56-c752-4bc2-8778-fabf40020b30

SELinux is preventing /usr/sbin/snmpd from read access on the directory dev_snmp6.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that snmpd should be allowed read access on the dev_snmp6 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep snmpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Dec 31 03:06:07 vpn setroubleshoot: SELinux is preventing /usr/sbin/snmpd from read access on the directory dev_snmp6. For complete SELinux messages. run sealert -l 308fcc56-c752-4bc2-8778-fabf40020b30

Running the suggested commands creates the .te file

[root@vpn ~]# cat  dev_snmp6.te

module dev_snmp6 1.0;

require {
        type snmpd_t;
        type proc_net_t;
        class dir read;
}

#============= snmpd_t ==============
allow snmpd_t proc_net_t:dir read;

My initial impressions is that as all the servers in my DMZ configured with IPV6 and SNMP hvave been affected, the snmpd was not previously accessing the IPV6 information or that this change was done and tested on an IPV4 only system.
Comment 4 Miroslav Grepl 2012-01-02 09:17:51 UTC 
Fixed in selinux-policy-3.10.0-70.fc16
Comment 5 Fedora Update System 2012-01-03 23:47:28 UTC 
selinux-policy-3.10.0-71.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-71.fc16
Comment 6 Fedora Update System 2012-01-05 21:07:46 UTC 
Package selinux-policy-3.10.0-71.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-71.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0154/selinux-policy-3.10.0-71.fc16
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-01-11 06:17:55 UTC 
selinux-policy-3.10.0-71.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.