Problems with snmpd following update.
David Rye
d.rye at roadtech.co.uk
Wed Feb 1 19:20:28 UTC 2006
Daniel J Walsh wrote:
>
> David Rye wrote:
> > Have run in to a problem on a couple of servers that I have updated in
> > the last week or so.
> >
> > snmpd does not start after a reboot, the following log extract is from
> > /var/log/messages on server f4.
> >
> > Jan 31 17:26:54 f4 acpid: acpid startup succeeded
> > Jan 31 17:26:54 f4 kernel: audit(1138728414.530:2): avc: denied {
> > execmem } fo
> > r pid=5278 comm="snmpd" scontext=user_u:system_r:snmpd_t
> > tcontext=user_u:system
> > _r:snmpd_t tclass=process
> > Jan 31 17:26:54 f4 snmpd: /usr/sbin/snmpd: error while loading shared
> > libraries:
> > libbeecrypt.so.6: cannot enable executable stack as shared object
> > requires: Per
> > mission denied
> > Jan 31 17:26:54 f4 snmpd: snmpd startup failed
> >
> >
> >
> >
> Does it work if you
> execstack -c /usr/lib/libbeecrypt.so.6
Yes and no.
snmpd starts but the following entery is added to /var/log/messages
Feb 1 18:31:48 workstation1 kernel: audit(1138818708.669:5): avc:
denied { search } for pid=3176 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:sysctl_dev_t
tclass=dir
snmpwalk will then display the mib tree or at any rate most of it.
However while running snmpwalk 9000 additional avc: eneries were
added to /var/log/messages.
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:7): avc:
denied { signull } for pid=3285 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=root:system_r:unconfined_t
tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:8): avc:
denied { signull } for pid=3285 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=root:system_r:unconfined_t
tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:9): avc:
denied { signull } for pid=3285 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=root:system_r:unconfined_t
tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:10): avc:
denied { signull } for pid=3285 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=root:system_r:unconfined_t
tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:11): avc:
denied { signull } for pid=3285 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=root:system_r:unconfined_t
tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:12): avc:
denied { signull } for pid=3285 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=root:system_r:unconfined_t
tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:13): avc:
denied { signull } for pid=3285 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=root:system_r:unconfined_t
tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:14): avc:
denied { signull } for pid=3285 comm="snmpd"
scontext=root:system_r:snmpd_t
tcontext=root:system_r:unconfined_t
tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.956:15): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs
ino=1392
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usbfs_t
tclass=dir
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.962:16): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:boot_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.000:17): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs
ino=1392
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usbfs_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.002:18): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:boot_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.018:19): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs
ino=1392
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usbfs_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.020:20): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:boot_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.035:21): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs
ino=1392
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usbfs_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.055:22): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:boot_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.071:23): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs
ino=1392
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usbfs_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.073:24): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:boot_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.092:25): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs
ino=1392
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usbfs_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.095:26): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:boot_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.111:27): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs
ino=1392
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usbfs_t
tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.111:28): avc:
denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:boot_t
tclass=dir
Feb 1 18:37:36 workstation1 kernel: audit(1138819056.112:29): avc:
denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2
ino=9895940
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:tmp_t
tclass=dir
Feb 1 18:37:36 workstation1 kernel: audit(1138819056.135:30): avc:
denied { read } for pid=3285 comm="snmpd" name="tmp" dev=hda2
ino=3915910
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usr_t
tclass=lnk_file
Feb 1 18:37:36 workstation1 kernel: audit(1138819056.135:31): avc:
denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2
ino=4374529
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:tmp_t
tclass=dir
Feb 1 18:37:42 workstation1 kernel: audit(1138819062.738:32): avc:
denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2
ino=9895940
scontext=root:system_r:snmpd_t tcontext=system_u:object_r:tmp_t
tclass=dir
Feb 1 18:37:42 workstation1 kernel: audit(1138819062.738:33): avc:
denied { read } for pid=3285 comm="snmpd" name="tmp" dev=hda2
ino=3915910
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usr_t
tclass=lnk_file
Feb 1 18:37:42 workstation1 kernel: audit(1138819062.738:34): avc:
denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2
ino=4374529
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:tmp_t
tclass=dir
Feb 1 18:37:44 workstation1 kernel: audit(1138819063.999:35): avc:
denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2
ino=9895940
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:tmp_t
tclass=dir
Feb 1 18:37:44 workstation1 kernel: audit(1138819063.999:36): avc:
denied { read } for pid=3285 comm="snmpd" name="tmp" dev=hda2
ino=3915910
scontext=root:system_r:snmpd_t
tcontext=system_u:object_r:usr_t
tclass=lnk_file
------snip another 6000 odd lines all getattr or read on file tmp----
inode
3915910 sym link /usr/tmp to /var/tmp
4374529 /tmp
9895940 /var/tmp
> > Running
> > execstack -q /usr/lib/libbeecrypt.so.6
> > gives
> > X /usr/lib/libbeecrypt.so.6
> >
> > So the library is explisitly marked as requiring an executable stack.
> >
> > looking at the obvious rpms yields the following
> >
> > kernel-2.6.12-1.1381_FC3 was kernel-2.6.11-1.14_FC3
> > net-snmp-5.2.1.2-FC3.1 unchanged
> > net-snmp-libs-5.2.1.2-FC3.1 unchanged
> > selinux-policy-targeted-1.17.30-3.19 was
> > selinux-policy-targeted-1.17.30-2.96
> > libselinux-1.19.1-8 unchanged
> > beecrypt-3.1.0-6 unchanged
> >
> >
> > Any suggestions appreciated.
> >
> >
--
J. David Rye
http://www.roadrunner.uk.com
http://www.rha.org.uk
mailto://d.rye@roadtech.co.uk
More information about the fedora-selinux-list
mailing list