Description of problem: The agentXperms snmpd.conf directive attempts to chmod the agentx socket and fails due to an avc. Issue identical to https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=556688 but for el5 (and possibly el6?) Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Install net-snmp 2. Include the following in /etc/snmp/snmpd.conf master agentx agentXSocket /var/agentx/master agentXPerms 0660 0555 root asterisk 3. Run `service snmpd restart` Actual results: ls -la /var/agentx shows ownership is still root:root and an avc is generated type=AVC msg=audit(1372321467.050:14571): avc: denied { chown } for pid=2747 comm="snmpd" capability=0 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:system_r:snmpd_t:s0 tclass=capability Expected results: Ownership of /var/agentx/master should be as specified in snmpd.conf Additional info: Bug already reported and fixed for Fedora 12 it seems.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
We have this rule in fedora.
Trevor, you can allow it using # grep snmpd_t /var/log/audit/audit.log |audit2allow -M mypol # semodule -i mypol.pp
Thanks Miroslav, I've already added a local policy to allow this but given that it was reported and fixed in f12, I figured this should be in the RHEL supplied policy too, hence the bugzilla.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1312.html