Problems with snmpd following update.
David Rye
d.rye at roadtech.co.uk
Wed Feb 1 18:54:43 UTC 2006
David Rye wrote:
>
> Have run in to a problem on a couple of servers that I have updated in
> the last week or so.
>
> snmpd does not start after a reboot, the following log extract is from
> /var/log/messages on server f4.
>
> Jan 31 17:26:54 f4 acpid: acpid startup succeeded
> Jan 31 17:26:54 f4 kernel: audit(1138728414.530:2): avc: denied {
> execmem } fo
> r pid=5278 comm="snmpd" scontext=user_u:system_r:snmpd_t
> tcontext=user_u:system
> _r:snmpd_t tclass=process
> Jan 31 17:26:54 f4 snmpd: /usr/sbin/snmpd: error while loading shared
> libraries:
> libbeecrypt.so.6: cannot enable executable stack as shared object
> requires: Per
> mission denied
> Jan 31 17:26:54 f4 snmpd: snmpd startup failed
>
> Running
> execstack -q /usr/lib/libbeecrypt.so.6
> gives
> X /usr/lib/libbeecrypt.so.6
>
> So the library is explisitly marked as requiring an executable stack.
>
> looking at the obvious rpms yields the following
>
> kernel-2.6.12-1.1381_FC3 was kernel-2.6.11-1.14_FC3
> net-snmp-5.2.1.2-FC3.1 unchanged
> net-snmp-libs-5.2.1.2-FC3.1 unchanged
> selinux-policy-targeted-1.17.30-3.19 was selinux-policy-targeted-1.17.30-2.96
> libselinux-1.19.1-8 unchanged
> beecrypt-3.1.0-6 unchanged
>
setenforce 0
service snmpd start
setenforce 1
Starts snmpd but logs 3 policy violations
Feb 1 13:54:47 f4 kernel: audit(1138802087.074:6): avc:
denied { execmem } for pid=8464 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=root:system_r:snmpd_t
tclass=process
Feb 1 13:54:47 f4 kernel: audit(1138802087.099:7): avc:
denied { read } for pid=8464 comm="snmpd"
name="config" dev=dm-0 ino=13320608
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:selinux_config_t
tclass=file
Feb 1 13:54:47 f4 kernel: audit(1138802087.099:8): avc:
denied { getattr } for pid=8464 comm="snmpd"
name="config" dev=dm-0 ino=13320608
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:selinux_config_t
tclass=file
Note inode 13320608 is /etc/selinux/config
ls -Z /usr/sbin/snmpd
-rwxr-xr-x root root system_u:object_r:snmpd_exec_t
/usr/sbin/snmpd
Which on my limited understanding looks correct and I think means that
snmpd executes with a
custom policy indicated by the snmpd_exec_t bit.
Does this mean that there is a bug in the policy for snmpd defined by
the rpm
selinux-policy-targeted-1.17.30-3.19 ?
--
J. David Rye
http://www.roadrunner.uk.com
http://www.rha.org.uk
mailto://d.rye@roadtech.co.uk
More information about the fedora-selinux-list
mailing list