Thanks for noticing bug 843443, this is more-or-less the clone. I guess the same test/verification or its subset may apply here. type=AVC msg=audit(1345224014.609:5754): avc: denied { write } for pid=3795 comm="snmpd" name="cman_client" dev=vda2 ino=144815 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1345224053.239:5756): avc: denied { connectto } for pid=3795 comm="snmpd" path="/var/run/cman_client" scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1345224053.239:5756): arch=c000003e syscall=42 success=yes exit=0 a0=a a1=7fffdef9cb50 a2=6e a3=60 items=0 ppid=1 pid=3795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=163 comm="snmpd" exe="/usr/sbin/snmpd" subj=unconfined_u:system_r:snmpd_t:s0 key=(null) For some reason, I haven't hit this RHEL 5 one: > SELinux prevents snmpd (snmpd_t) from writing to /var/run/clumond.sock > (ricci_modcluster_var_run_t) -- it may be already handled as a side-effect of previous changes. Practically, the enforcing vs. permissive mode means this change like this: $ snmpwalk -mREDHAT-CLUSTER-MIB -v2c localhost -c public 1.3.6.1.4.1.2312.8 [...] REDHAT-CLUSTER-MIB::rhcClusterVotesNeededForQuorum.0 = INTEGER: 0 REDHAT-CLUSTER-MIB::rhcClusterVotes.0 = INTEGER: 2 REDHAT-CLUSTER-MIB::rhcClusterQuorate.0 = INTEGER: 0 [...] vs. $ snmpwalk -mREDHAT-CLUSTER-MIB -v 2c localhost -c public 1.3.6.1.4.1.2312.8 [...] REDHAT-CLUSTER-MIB::rhcClusterVotesNeededForQuorum.0 = INTEGER: 2 REDHAT-CLUSTER-MIB::rhcClusterVotes.0 = INTEGER: 2 REDHAT-CLUSTER-MIB::rhcClusterQuorate.0 = INTEGER: 1 [...] This is caused by the unability of cluster SNMP agent to access /var/run/cman_client to get the info about quorum. # rpm -q selinux-policy selinux-policy-targeted cluster-snmp net-snmp selinux-policy-3.7.19-154.el6.noarch selinux-policy-targeted-3.7.19-154.el6.noarch cluster-snmp-0.16.2-18.el6.x86_64 net-snmp-5.5-41.el6.x86_6
This AVC shows up in enforcing mode: ---- type=PATH msg=audit(08/18/2012 21:07:28.501:32732) : item=0 name=(null) inode=31552 dev=08:03 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_var_run_t:s0 type=SOCKADDR msg=audit(08/18/2012 21:07:28.501:32732) : saddr=local /var/run/cman_client type=SOCKETCALL msg=audit(08/18/2012 21:07:28.501:32732) : nargs=3 a0=b a1=bf97119e a2=6e type=SYSCALL msg=audit(08/18/2012 21:07:28.501:32732) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bf971160 a2=5da428 a3=21e52d8 items=1 ppid=1 pid=11602 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=snmpd exe=/usr/sbin/snmpd subj=unconfined_u:system_r:snmpd_t:s0 key=(null) type=AVC msg=audit(08/18/2012 21:07:28.501:32732) : avc: denied { write } for pid=11602 comm=snmpd name=cman_client dev=sda3 ino=31552 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file ---- And these AVCs show up in permissive mode: ---- type=PATH msg=audit(08/18/2012 21:26:52.222:32788) : item=0 name=(null) inode=31552 dev=08:03 mode=socket,660 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_var_run_t:s0 type=SOCKADDR msg=audit(08/18/2012 21:26:52.222:32788) : saddr=local /var/run/cman_client type=SOCKETCALL msg=audit(08/18/2012 21:26:52.222:32788) : nargs=3 a0=b a1=bfcab73e a2=6e type=SYSCALL msg=audit(08/18/2012 21:26:52.222:32788) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfcab700 a2=94e428 a3=1e7d868 items=1 ppid=1 pid=12231 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=snmpd exe=/usr/sbin/snmpd subj=unconfined_u:system_r:snmpd_t:s0 key=(null) type=AVC msg=audit(08/18/2012 21:26:52.222:32788) : avc: denied { connectto } for pid=12231 comm=snmpd path=/var/run/cman_client scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:system_r:corosync_t:s0 tclass=unix_stream_socket type=AVC msg=audit(08/18/2012 21:26:52.222:32788) : avc: denied { write } for pid=12231 comm=snmpd name=cman_client dev=sda3 ino=31552 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:corosync_var_run_t:s0 tclass=sock_file ----
Added to Fedora. Will backport.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html