Problems with snmpd following update.

David Rye d.rye at roadtech.co.uk
Wed Feb 1 18:54:43 UTC 2006 

David Rye wrote:
> 
> Have run in to a problem on a couple of servers that I have updated in
> the last week or so.
> 
> snmpd does not start after a reboot, the following log extract is from
> /var/log/messages on server f4.
> 
> Jan 31 17:26:54 f4 acpid: acpid startup succeeded
> Jan 31 17:26:54 f4 kernel: audit(1138728414.530:2): avc:  denied  {
> execmem } fo
> r  pid=5278 comm="snmpd" scontext=user_u:system_r:snmpd_t
> tcontext=user_u:system
> _r:snmpd_t tclass=process
> Jan 31 17:26:54 f4 snmpd: /usr/sbin/snmpd: error while loading shared
> libraries:
>  libbeecrypt.so.6: cannot enable executable stack as shared object
> requires: Per
> mission denied
> Jan 31 17:26:54 f4 snmpd: snmpd startup failed
> 
> Running
> execstack -q /usr/lib/libbeecrypt.so.6
> gives
> X /usr/lib/libbeecrypt.so.6
> 
> So the library is explisitly marked as requiring an executable stack.
> 
> looking at the obvious rpms yields the following
> 
> kernel-2.6.12-1.1381_FC3                was kernel-2.6.11-1.14_FC3
> net-snmp-5.2.1.2-FC3.1                  unchanged
> net-snmp-libs-5.2.1.2-FC3.1             unchanged
> selinux-policy-targeted-1.17.30-3.19    was selinux-policy-targeted-1.17.30-2.96
> libselinux-1.19.1-8                     unchanged
> beecrypt-3.1.0-6                        unchanged
> 


setenforce 0
service snmpd start
setenforce 1

Starts snmpd but logs 3 policy violations

Feb  1 13:54:47 f4 kernel: audit(1138802087.074:6): avc:  
denied  { execmem } for  pid=8464 comm="snmpd" 
scontext=root:system_r:snmpd_t 
tcontext=root:system_r:snmpd_t 
tclass=process

Feb  1 13:54:47 f4 kernel: audit(1138802087.099:7): avc:  
denied  { read } for pid=8464 comm="snmpd" 
name="config" dev=dm-0 ino=13320608 
scontext=root:system_r:snmpd_t 
tcontext=system_u:object_r:selinux_config_t 
tclass=file

Feb  1 13:54:47 f4 kernel: audit(1138802087.099:8): avc:  
denied  { getattr } for  pid=8464 comm="snmpd" 
name="config" dev=dm-0 ino=13320608 
scontext=root:system_r:snmpd_t 
tcontext=system_u:object_r:selinux_config_t 
tclass=file

Note inode 13320608 is /etc/selinux/config

ls -Z /usr/sbin/snmpd
-rwxr-xr-x  root     root     system_u:object_r:snmpd_exec_t  
/usr/sbin/snmpd

Which on my limited understanding looks correct and I think means that
snmpd executes with a
custom policy indicated by the snmpd_exec_t bit.

Does this mean that there is a bug in the policy for snmpd defined by
the rpm
selinux-policy-targeted-1.17.30-3.19 ?

-- 
J. David Rye
http://www.roadrunner.uk.com
http://www.rha.org.uk
mailto://d.rye@roadtech.co.uk

More information about the fedora-selinux-list mailing list