Bug 849262 - SELinux is preventing /usr/sbin/snmpd (snmpd_t) from write access on the sock_file /var/run/cman_client (corosync_var_run_t)
SELinux is preventing /usr/sbin/snmpd (snmpd_t) from write access on the sock...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-17 17:37 EDT by Jan Pokorný
Modified: 2013-02-21 03:27 EST (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-160.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 843443
Environment:
Last Closed: 2013-02-21 03:27:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pokorný 2012-08-17 17:37:45 EDT
Thanks for noticing bug 843443, this is more-or-less the clone.
I guess the same test/verification or its subset may apply here.

type=AVC msg=audit(1345224014.609:5754): avc:  denied  { write }
  for  pid=3795 comm="snmpd" name="cman_client"
  dev=vda2 ino=144815
  scontext=unconfined_u:system_r:snmpd_t:s0
  tcontext=unconfined_u:object_r:corosync_var_run_t:s0
  tclass=sock_file 
type=AVC msg=audit(1345224053.239:5756): avc:  denied  { connectto }
  for  pid=3795 comm="snmpd" path="/var/run/cman_client"
  scontext=unconfined_u:system_r:snmpd_t:s0
  tcontext=unconfined_u:system_r:corosync_t:s0
  tclass=unix_stream_socket 
type=SYSCALL msg=audit(1345224053.239:5756):
  arch=c000003e syscall=42 success=yes exit=0
  a0=a a1=7fffdef9cb50 a2=6e a3=60 items=0 ppid=1 pid=3795
  auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
  tty=(none) ses=163 comm="snmpd" exe="/usr/sbin/snmpd"
  subj=unconfined_u:system_r:snmpd_t:s0 key=(null) 


For some reason, I haven't hit this RHEL 5 one:
> SELinux prevents snmpd (snmpd_t) from writing to /var/run/clumond.sock
> (ricci_modcluster_var_run_t)
-- it may be already handled as a side-effect of previous changes.


Practically, the enforcing vs. permissive mode means this change like this:

$ snmpwalk -mREDHAT-CLUSTER-MIB -v2c localhost -c public 1.3.6.1.4.1.2312.8
[...]
REDHAT-CLUSTER-MIB::rhcClusterVotesNeededForQuorum.0 = INTEGER: 0
REDHAT-CLUSTER-MIB::rhcClusterVotes.0 = INTEGER: 2
REDHAT-CLUSTER-MIB::rhcClusterQuorate.0 = INTEGER: 0
[...]

vs.

$ snmpwalk -mREDHAT-CLUSTER-MIB -v 2c localhost -c public 1.3.6.1.4.1.2312.8
[...]
REDHAT-CLUSTER-MIB::rhcClusterVotesNeededForQuorum.0 = INTEGER: 2
REDHAT-CLUSTER-MIB::rhcClusterVotes.0 = INTEGER: 2
REDHAT-CLUSTER-MIB::rhcClusterQuorate.0 = INTEGER: 1
[...]

This is caused by the unability of cluster SNMP agent to access
/var/run/cman_client to get the info about quorum.


# rpm -q selinux-policy selinux-policy-targeted cluster-snmp net-snmp
selinux-policy-3.7.19-154.el6.noarch
selinux-policy-targeted-3.7.19-154.el6.noarch
cluster-snmp-0.16.2-18.el6.x86_64
net-snmp-5.5-41.el6.x86_6
Comment 2 Milos Malik 2012-08-18 15:29:59 EDT
This AVC shows up in enforcing mode:

----
type=PATH msg=audit(08/18/2012 21:07:28.501:32732) : item=0 name=(null) inode=31552 dev=08:03 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_var_run_t:s0 
type=SOCKADDR msg=audit(08/18/2012 21:07:28.501:32732) : saddr=local /var/run/cman_client 
type=SOCKETCALL msg=audit(08/18/2012 21:07:28.501:32732) : nargs=3 a0=b a1=bf97119e a2=6e 
type=SYSCALL msg=audit(08/18/2012 21:07:28.501:32732) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bf971160 a2=5da428 a3=21e52d8 items=1 ppid=1 pid=11602 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=snmpd exe=/usr/sbin/snmpd subj=unconfined_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(08/18/2012 21:07:28.501:32732) : avc:  denied  { write } for  pid=11602 comm=snmpd name=cman_client dev=sda3 ino=31552 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file 
----

And these AVCs show up in permissive mode:

----
type=PATH msg=audit(08/18/2012 21:26:52.222:32788) : item=0 name=(null) inode=31552 dev=08:03 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_var_run_t:s0 
type=SOCKADDR msg=audit(08/18/2012 21:26:52.222:32788) : saddr=local /var/run/cman_client 
type=SOCKETCALL msg=audit(08/18/2012 21:26:52.222:32788) : nargs=3 a0=b a1=bfcab73e a2=6e 
type=SYSCALL msg=audit(08/18/2012 21:26:52.222:32788) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfcab700 a2=94e428 a3=1e7d868 items=1 ppid=1 pid=12231 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=snmpd exe=/usr/sbin/snmpd subj=unconfined_u:system_r:snmpd_t:s0 key=(null) 
type=AVC msg=audit(08/18/2012 21:26:52.222:32788) : avc:  denied  { connectto } for  pid=12231 comm=snmpd path=/var/run/cman_client scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=unix_stream_socket 
type=AVC msg=audit(08/18/2012 21:26:52.222:32788) : avc:  denied  { write } for  pid=12231 comm=snmpd name=cman_client dev=sda3 ino=31552 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file 
----
Comment 3 Miroslav Grepl 2012-08-20 05:57:55 EDT
Added to Fedora. Will backport.
Comment 6 errata-xmlrpc 2013-02-21 03:27:48 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.