Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 229017 - snmp-enabled squid throws avc denied
Summary: snmp-enabled squid throws avc denied
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-16 15:34 UTC by Peter Bieringer
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHBA-2007-0741
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-15 16:07:00 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0741 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-14 17:04:04 UTC

Description Peter Bieringer 2007-02-16 15:34:22 UTC
Description of problem:
After enabling the SNMP server in squid for monitoring I found several avc
denied messages.


Version-Release number of selected component (if applicable):
squid-2.5.STABLE6-3.4E.12
selinux-policy-targeted-1.17.30-2.140
selinux runs in permissive mode

How reproducible:
Afer each restart

Steps to Reproduce:
1. enable SNMP server in squid
2. restart squid
  
Actual results:
Feb 13 09:50:25 server kernel: audit(1171356625.011:8): avc:  denied  {
name_bind } for  pid=2798 comm="squid" src=3401 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:port_t tclass=udp_socket
Feb 13 13:52:09 server kernel: audit(1171371129.246:9): avc:  denied  {
name_bind } for  pid=2798 comm="squid" src=3401 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:port_t tclass=udp_socket
Feb 13 14:18:51 server kernel: audit(1171372731.965:10): avc:  denied  {
name_bind } for  pid=12051 comm="squid" src=3401 scontext=root:system_r:squid_t
tcontext=system_u:object_r:port_t tclass=udp_socket



Expected results:
No such messages

Additional info:
Looks like there is something missing in the squid related selinux policy.

Comment 1 Peter Bieringer 2007-04-10 10:47:05 UTC
At least related to that issue are following avc denied messages:

Apr 10 12:43:39 server kernel: audit(1176201819.386:25): avc:  denied  { read }
for  pid=19295 comm="snmpd" name="mib.txt" dev=sda2 ino=291075
scontext=root:system_r:snmpd_t tcontext=system_u:object_r:squid_conf_t tclass=file
Apr 10 12:43:39 server kernel: audit(1176201819.386:26): avc:  denied  { getattr
} for  pid=19295 comm="snmpd" name="mib.txt" dev=sda2 ino=291075
scontext=root:system_r:snmpd_t tcontext=system_u:object_r:squid_conf_t tclass=file

They are caused by restart of snmpd, after specifying squid's SNMP mib file in
/etc/snmp/conf (looks like the snmpd also reads the snmp client config file...):

# grep squid /etc/snmp/snmp.conf 
mibfile /etc/squid/mib.txt


Comment 2 Daniel Walsh 2007-06-21 13:18:20 UTC
Fixed in selinux-policy-targeted-1.17.30-2.146

Comment 3 RHEL Product and Program Management 2007-06-26 15:25:53 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 6 Josef Kubin 2007-08-13 19:21:34 UTC
Can't reproduce with selinux-policy-targeted-1.17.30-2.145.noarch

following lines has been uncommented in squid.conf
snmp_port 3401
acl snmppublic snmp_community public
snmp_access allow snmppublic localhost

# netstat -an | grep :3401
udp        0      0 0.0.0.0:3401                0.0.0.0:*

Only following unrelevant lines to tested bug has appeared after each restart:

type=AVC msg=audit(1187032781.014:465): avc:  denied  { search } for  pid=12548
comm="squid" name="tps" dev=0:13 ino=5264296 scontext=root:system_r:squid_t
tcontext=system_u:object_r:nfs_t tclass=dir
type=SYSCALL msg=audit(1187032781.014:465): arch=14 syscall=11 success=no
exit=-13 a0=ffffd6d0 a1=ffffc690 a2=ffffea90 a3=2 items=1 pid=12548 auid=429496729
5 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="squid"
exe="/usr/sbin/squid"
type=CWD msg=audit(1187032781.014:465):  cwd="/opt/Errata/2007:0741/tps"
type=PATH msg=audit(1187032781.014:465): name="squid_start" flags=101 
inode=5264296 dev=00:13 mode=042755 ouid=0 ogid=1076 rdev=00:00


Comment 7 Peter Bieringer 2007-08-17 08:45:35 UTC
Sorry for delay, was out-of-office:

here the related configuration parts:

snmp_port 3401
acl snmppublic snmp_community mrtg
snmp_access allow snmppublic localhost
snmp_access deny all
snmp_incoming_address 127.0.0.1

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.145

Following log lines were seen in the latest past related to squid:

Aug  9 09:25:17 server kernel: audit(1186644317.132:14): avc:  denied  {
name_bind } for  pid=4136 comm="squid" src=3401 scontext=user_u:system_r:squid_t
tcontext=system_u:object_r:port_t tclass=udp_socket
Aug  9 09:26:33 server kernel: audit(1186644393.888:15): avc:  denied  {
name_bind } for  pid=31580 comm="squid" src=3401 scontext=root:system_r:squid_t
tcontext=system_u:object_r:port_t tclass=udp_socket

Aug 10 09:23:58 server kernel: audit(1186730638.068:16): avc:  denied  { search
} for  pid=23926 comm="snmpd" name="squid" dev=sda2 ino=291070
scontext=system_u:system_r:snmpd_t tcontext=system_u:object_r:squid_conf_t
tclass=dir


Comment 8 Daniel Walsh 2007-08-17 10:30:02 UTC
If you download the candidate policy for the u5 update, does squid work for you.

http://people.redhat.com/dwalsh/SELinux/RHEL4

Comment 9 Peter Bieringer 2007-08-17 12:08:52 UTC
It's gone after updating to selinux-policy-targeted-1.17.30-2.148 and restarting
squid.

Comment 11 errata-xmlrpc 2007-11-15 16:07:00 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0741.html



Note You need to log in before you can comment on or make changes to this bug.