120025 – selinux policy support

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 120025 - selinux policy support

Summary: selinux policy support

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	net-snmp
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Phil Knirsch
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC2Target
TreeView+	depends on / blocked

Reported:	2004-04-05 11:03 UTC by Kaj J. Niemi
Modified:	2015-03-05 01:13 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-04-11 13:44:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Log snippet from /var/log/messages on which audit2allow is based on (deleted) 2004-04-05 11:04 UTC, Kaj J. Niemi	no flags	Details
Log snippet from /var/log/messages when walking all mibs. (deleted) 2004-04-05 11:05 UTC, Kaj J. Niemi	no flags	Details
syslog output from starting/stopping snmpd (deleted) 2004-04-09 23:48 UTC, Kaj J. Niemi	no flags	Details
audit2allow output from starting/stopping snmpd (deleted) 2004-04-09 23:50 UTC, Kaj J. Niemi	no flags	Details
syslog output from walking the whole tree (deleted) 2004-04-09 23:54 UTC, Kaj J. Niemi	no flags	Details
audit2allow output from walking the whole tree (deleted) 2004-04-09 23:55 UTC, Kaj J. Niemi	no flags	Details
Show Obsolete (1) View All

Description Kaj J. Niemi 2004-04-05 11:03:15 UTC

Description of problem:
First attachment contains syslog avc output of snmpd start, second
attachment the avc output while walking through every supported MIB.

Version-Release number of selected component (if applicable):
net-snmp-5.1.1

Additional info:
According to audit2allow the following lines need to be added to the
policy to allow snmpd to start without any complains.

allow snmpd_t home_root_t:dir { search };
allow snmpd_t rpm_var_lib_t:dir { search };
allow snmpd_t rpm_var_lib_t:file { getattr };
allow snmpd_t var_log_t:dir { search };
allow snmpd_t var_log_t:file { getattr write };
allow snmpd_t var_t:dir { add_name remove_name write };
allow snmpd_t var_t:file { append create getattr read rename unlink };

Walking through every supported MIB requires also the following:

allow snmpd_t amanda_dumpdates_t:file { getattr read };
allow snmpd_t apmd_t:dir { search };
allow snmpd_t apmd_t:file { getattr read };
allow snmpd_t cardmgr_t:dir { search };
allow snmpd_t cardmgr_t:file { getattr read };
allow snmpd_t crond_t:dir { search };
allow snmpd_t crond_t:file { getattr read };
allow snmpd_t cupsd_rw_etc_t:file { getattr read };
allow snmpd_t cupsd_t:dir { search };
allow snmpd_t cupsd_t:file { getattr read };
allow snmpd_t dbusd_t:dir { search };
allow snmpd_t dbusd_t:file { getattr read };
allow snmpd_t device_t:blk_file { read write };
allow snmpd_t dhcpc_t:dir { search };
allow snmpd_t dhcpc_t:file { getattr read };
allow snmpd_t fixed_disk_device_t:blk_file { getattr ioctl read };
allow snmpd_t fsdaemon_t:dir { search };
allow snmpd_t fsdaemon_t:file { getattr read };
allow snmpd_t getty_t:dir { search };
allow snmpd_t getty_t:file { getattr read };
allow snmpd_t home_root_t:dir { search };
allow snmpd_t init_t:dir { search };
allow snmpd_t init_t:file { getattr read };
allow snmpd_t initrc_t:dir { search };
allow snmpd_t initrc_t:file { getattr read };
allow snmpd_t initrc_var_run_t:file { lock read write };
allow snmpd_t kernel_t:dir { search };
allow snmpd_t kernel_t:file { getattr read };
allow snmpd_t klogd_t:dir { search };
allow snmpd_t klogd_t:file { getattr read };
allow snmpd_t nmbd_t:dir { search };
allow snmpd_t nmbd_t:file { getattr read };
allow snmpd_t ntpd_t:dir { search };
allow snmpd_t ntpd_t:file { getattr read };
allow snmpd_t pam_t:dir { search };
allow snmpd_t pam_t:file { getattr read };
allow snmpd_t postfix_master_t:dir { search };
allow snmpd_t postfix_master_t:file { getattr read };
allow snmpd_t removable_device_t:blk_file { read };
allow snmpd_t rpc_pipefs_t:dir { getattr };
allow snmpd_t rpm_var_lib_t:dir { add_name getattr search write };
allow snmpd_t rpm_var_lib_t:file { create getattr lock read write };
allow snmpd_t smbd_t:dir { search };
allow snmpd_t smbd_t:file { getattr read };
allow snmpd_t snmpd_t:capability { dac_override kill net_admin sys_nice };
allow snmpd_t sshd_t:dir { search };
allow snmpd_t sshd_t:file { getattr read };
allow snmpd_t sysfs_t:dir { getattr search };
allow snmpd_t syslogd_t:dir { search };
allow snmpd_t syslogd_t:file { getattr read };
allow snmpd_t udev_t:dir { search };
allow snmpd_t udev_t:file { getattr read };
allow snmpd_t user_gph_t:dir { search };
allow snmpd_t user_gph_t:file { getattr read };
allow snmpd_t user_screensaver_t:dir { search };
allow snmpd_t user_screensaver_t:file { getattr read };
allow snmpd_t user_ssh_agent_t:dir { search };
allow snmpd_t user_ssh_agent_t:file { getattr read };
allow snmpd_t user_ssh_t:dir { search };
allow snmpd_t user_ssh_t:file { getattr read };
allow snmpd_t user_t:dir { search };
allow snmpd_t user_t:file { getattr read };
allow snmpd_t user_t:process { signull };
allow snmpd_t var_lib_nfs_t:dir { search };
allow snmpd_t var_log_t:dir { search };
allow snmpd_t var_log_t:file { getattr write };
allow snmpd_t var_t:dir { add_name remove_name write };
allow snmpd_t var_t:file { append create getattr read rename unlink };
allow snmpd_t xdm_t:dir { search };
allow snmpd_t xdm_t:file { getattr read };
allow snmpd_t xdm_xserver_t:dir { search };
allow snmpd_t xdm_xserver_t:file { getattr read };
allow snmpd_t xfs_t:dir { search };
allow snmpd_t xfs_t:file { getattr read };

Comment 1 Kaj J. Niemi 2004-04-05 11:04:30 UTC

Created attachment 99106 [details]
Log snippet from /var/log/messages on which audit2allow is based on

Comment 2 Kaj J. Niemi 2004-04-05 11:05:26 UTC

Created attachment 99107 [details]
Log snippet from /var/log/messages when walking all mibs.

Comment 3 Phil Knirsch 2004-04-08 14:32:07 UTC

Daniel, could you check if those additions are ok and make sure they
get into our policy file?

Thanks,

Read ya, Phil

Comment 4 Daniel Walsh 2004-04-08 15:55:36 UTC

I added alot of fixes for this in policy-1.10.1-6

Please check it out.

Comment 5 Kaj J. Niemi 2004-04-09 23:43:51 UTC

Ok, with policy-1.10.2-1 installed there's less avc denied errors.
attached are logs snippets and suggestions from audit2allow.

Comment 6 Kaj J. Niemi 2004-04-09 23:48:59 UTC

Created attachment 99289 [details]
syslog output from starting/stopping snmpd

Comment 7 Kaj J. Niemi 2004-04-09 23:50:05 UTC

Created attachment 99290 [details]
audit2allow output from starting/stopping snmpd

Comment 8 Kaj J. Niemi 2004-04-09 23:54:32 UTC

Created attachment 99291 [details]
syslog output from walking the whole tree

Comment 9 Kaj J. Niemi 2004-04-09 23:55:17 UTC

Created attachment 99292 [details]
audit2allow output from walking the whole tree

Comment 10 Kaj J. Niemi 2004-04-11 13:44:58 UTC

Looks great with policy-1.10.2-5, no more avc denieds. Thanks. I'll go
ahead and close this as RAWHIDE.

Note You need to log in before you can comment on or make changes to this bug.