After installing net-snmp with selinux flag and rlpkg -a -r we see that snmpd binary is in improper context: albatros2-vbox1 sel # ps ugaxwZ | grep snmpd system_u:system_r:initrc_t root 9559 0.0 0.2 43360 4356 ? S 20:36 0:00 /usr/sbin/snmpd -p /var/run/snmpd.pid -Lf /dev/null Бинарник был: albatros2-vbox1 sel # ls -Z /usr/sbin/snmpd system_u:object_r:bin_t /usr/sbin/snmpd So in audit logs we see in turn following: Apr 9 20:26:37 albatros2-vbox1 kernel: audit: type=1400 audit(1428600397.357:1574): avc: denied { use } for pid=8900 comm="syslog-ng" path="pipe:[507602]" dev="pipefs" ino=507602 scontext=system_u:system_r:syslogd_t tcontext=staff_u:sysadm_r:sysadm_t tclass=fd Apr 9 20:26:37 albatros2-vbox1 kernel: audit: type=1400 audit(1428600397.357:1575): avc: denied { write } for pid=8900 comm="syslog-ng" path="pipe:[507602]" dev="pipefs" ino=507602 scontext=system_u:system_r:syslogd_t tcontext=staff_u:sysadm_r:sysadm_t tclass=fifo_file Apr 9 20:26:37 albatros2-vbox1 kernel: audit: type=1400 audit(1428600397.387:1576): avc: denied { use } for pid=8902 comm="checkpath" path="pipe:[507602]" dev="pipefs" ino=507602 scontext=system_u:system_r:tmpfiles_t tcontext=staff_u:sysadm_r:sysadm_t tclass=fd Apr 9 20:26:37 albatros2-vbox1 kernel: audit: type=1400 audit(1428600397.387:1577): avc: denied { write } for pid=8902 comm="checkpath" path="pipe:[507602]" dev="pipefs" ino=507602 scontext=system_u:system_r:tmpfiles_t tcontext=staff_u:sysadm_r:sysadm_t tclass=fifo_file Apr 9 20:26:37 albatros2-vbox1 kernel: audit: type=1400 audit(1428600397.387:1578): avc: denied { getattr } for pid=8902 comm="openrc" path="/var/lib/syslog-ng" dev="sda1" ino=2041925 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:syslogd_var_lib_t tclass=dir Apr 9 20:26:37 albatros2-vbox1 kernel: audit: type=1400 audit(1428600397.387:1579): avc: denied { relabelfrom } for pid=8902 comm="openrc" name="syslog-ng" dev="sda1" ino=2041925 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:syslogd_var_lib_t tclass=dir Apr 9 20:26:37 albatros2-vbox1 kernel: audit: type=1400 audit(1428600397.387:1580): avc: denied { relabelto } for pid=8902 comm="openrc" name="syslog-ng" dev="sda1" ino=2041925 scontext=system_u:system_r:tmpfiles_t tcontext=system_u:object_r:syslogd_var_lib_t tclass=dir After chcon -t snmpd_exec_t /usr/sbin/snmpd all goes well as it should Reproducible: Always
can you post ls -lZ /etc/init.d/snmpd or whatever the init script is called. it should be snmpd_initrc_exec_t, is that correct? are there any other binaries that get installed that are missing labels? the policy fc file mentions /usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) /usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) are those still correct as well? if the only thing missing is /usr/sbin/snmpd, then i'll add that to the policy. Thanks!
gawriloff@albatros2-vbox1 ~ $ ls -lZ /etc/init.d/snmpd -rwxr-xr-x. 1 root root system_u:object_r:snmpd_initrc_exec_t 797 апр 9 16:06 /etc/init.d/snmpd gawriloff@albatros2-vbox1 ~ $ ls -lZ /usr/sbin/snmp* -rwxr-xr-x. 1 root root system_u:object_r:snmpd_exec_t 31456 апр 9 16:06 /usr/sbin/snmpd -rwxr-xr-x. 1 root root system_u:object_r:snmpd_exec_t 31520 апр 9 16:06 /usr/sbin/snmptrapd So, yes. It seems only /usr/sbin/snmpd have missing label.
sent this upstream. will apply to our repo once its been applied up there. it'll be in the next release.
in policy -r5
r5 policy has been stabilized