Description of problem: Version-Release number of selected component (if applicable): selinux-policy-devel-2.4.6-329.el5 selinux-policy-minimum-2.4.6-329.el5 selinux-policy-targeted-2.4.6-329.el5 selinux-policy-strict-2.4.6-329.el5 selinux-policy-2.4.6-329.el5 selinux-policy-mls-2.4.6-329.el5 cluster-snmp-0.12.1-7.el5 modcluster-0.12.1-7.el5 net-snmp-5.3.2.2-18.el5 net-snmp-devel-5.3.2.2-18.el5 net-snmp-libs-5.3.2.2-18.el5 net-snmp-utils-5.3.2.2-18.el5 How reproducible: always Steps to Reproduce: 1. get a RHEL-5.8 machine with active targeted policy 2. run following automated test: /CoreOS/selinux-policy/Regression/bz466470-snmpd-wants-getsched-setsched 3. search for AVCs Actual results: ---- type=PATH msg=audit(07/26/2012 12:42:22.363:177) : item=0 name=(null) inode=66086 dev=03:03 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=root:object_r:ricci_modcluster_var_run_t:s0 type=SOCKETCALL msg=audit(07/26/2012 12:42:22.363:177) : nargs=3 a0=c a1=bffafdaa a2=6e type=SOCKADDR msg=audit(07/26/2012 12:42:22.363:177) : saddr=local /var/run/clumond.sock type=SYSCALL msg=audit(07/26/2012 12:42:22.363:177) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bffafd60 a2=e95710 a3=0 items=1 ppid=1 pid=13257 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=snmpd exe=/usr/sbin/snmpd subj=root:system_r:snmpd_t:s0 key=(null) type=AVC msg=audit(07/26/2012 12:42:22.363:177) : avc: denied { write } for pid=13257 comm=snmpd name=clumond.sock dev=hda3 ino=66086 scontext=root:system_r:snmpd_t:s0 tcontext=root:object_r:ricci_modcluster_var_run_t:s0 tclass=sock_file ---- Expected results: * no AVCs
Following AVCs appeared in permissive mode: ---- type=PATH msg=audit(07/26/2012 12:52:45.042:183) : item=0 name=(null) inode=66086 dev=03:03 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=root:object_r:ricci_modcluster_var_run_t:s0 type=SOCKETCALL msg=audit(07/26/2012 12:52:45.042:183) : nargs=3 a0=c a1=bfaa8b1a a2=6e type=SOCKADDR msg=audit(07/26/2012 12:52:45.042:183) : saddr=local /var/run/clumond.sock type=SYSCALL msg=audit(07/26/2012 12:52:45.042:183) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfaa8ad0 a2=e08710 a3=0 items=1 ppid=1 pid=13698 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=snmpd exe=/usr/sbin/snmpd subj=root:system_r:snmpd_t:s0 key=(null) type=AVC msg=audit(07/26/2012 12:52:45.042:183) : avc: denied { connectto } for pid=13698 comm=snmpd path=/var/run/clumond.sock scontext=root:system_r:snmpd_t:s0 tcontext=root:system_r:ricci_modclusterd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(07/26/2012 12:52:45.042:183) : avc: denied { write } for pid=13698 comm=snmpd name=clumond.sock dev=hda3 ino=66086 scontext=root:system_r:snmpd_t:s0 tcontext=root:object_r:ricci_modcluster_var_run_t:s0 tclass=sock_file ----
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
We need to backport fixes from RHEL6 for this.
Fixed in selinux-policy-2.4.6-330.el5
Fixed in selinux-policy-2.4.6-331.el5
Thanks for (even) noticing this and please have a look at something similar for RHEL 6.3 (haven't tested previous minor releases): bug 849262.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html