Bug 978864 - net-snmp agentXperms chown denied by selinux
net-snmp agentXperms chown denied by selinux
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2013-06-27 04:55 EDT by Trevor Hemsley
Modified: 2013-09-30 18:25 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-346.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-09-30 18:25:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Trevor Hemsley 2013-06-27 04:55:35 EDT
Description of problem:
The agentXperms snmpd.conf directive attempts to chmod the agentx socket and fails due to an avc. Issue identical to https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=556688 but for el5 (and possibly el6?)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install net-snmp
2. Include the following in /etc/snmp/snmpd.conf
master agentx
agentXSocket /var/agentx/master
agentXPerms 0660 0555 root asterisk
3. Run `service snmpd restart`

Actual results:
ls -la /var/agentx shows ownership is still root:root and an avc is generated

type=AVC msg=audit(1372321467.050:14571): avc:  denied  { chown } for  pid=2747 comm="snmpd" capability=0 scontext=user_u:system_r:snmpd_t:s0 tcontext=user_u:system_r:snmpd_t:s0 tclass=capability

Expected results:
Ownership of /var/agentx/master should be as specified in snmpd.conf

Additional info:
Bug already reported and fixed for Fedora 12 it seems.
Comment 2 RHEL Product and Program Management 2013-07-02 04:58:28 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Daniel Walsh 2013-07-02 07:03:46 EDT
We have this rule in fedora.
Comment 4 Miroslav Grepl 2013-07-03 08:45:16 EDT
you can allow it using

# grep snmpd_t /var/log/audit/audit.log |audit2allow -M mypol
# semodule -i mypol.pp
Comment 5 Trevor Hemsley 2013-07-03 08:57:01 EDT
Thanks Miroslav, I've already added a local policy to allow this but given that it was reported and fixed in f12, I figured this should be in the RHEL supplied policy too, hence the bugzilla.
Comment 9 errata-xmlrpc 2013-09-30 18:25:59 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.