On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote:
Hi SELinux
Trying to start apcupsd (version 3.14.10) configured for snmp on CentOS 6.3 (targeted policy 3.7.19) results in
time->Tue Dec 18 16:07:47 2012 type=SYSCALL msg=audit(1355846867.862:18629): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7fffabaa61f0 a2=10 a3=7fffabaa5f30 items=0 ppid=1 pid=2162 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="apcupsd" exe="/sbin/apcupsd" subj=unconfined_u:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1355846867.862:18629): avc: denied { node_bind } for pid=2162 comm="apcupsd" scontext=unconfined_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket sls.test.office:~# ausearch -a 18629 -a 18630
time->Tue Dec 18 16:07:47 2012 type=SYSCALL msg=audit(1355846867.864:18630): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=7fffabaa61f0 a2=10 a3=7fffabaa5f30 items=0 ppid=1 pid=2162 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="apcupsd" exe="/sbin/apcupsd" subj=unconfined_u:system_r:apcupsd_t:s0 key=(null) type=AVC msg=audit(1355846867.864:18630): avc: denied { net_bind_service } for pid=2162 comm="apcupsd" capability=10 scontext=unconfined_u:system_r:apcupsd_t:s0 tcontext=unconfined_u:system_r:apcupsd_t:s0 tclass=capability type=AVC msg=audit(1355846867.864:18630): avc: denied { name_bind } for pid=2162 comm="apcupsd" src=162 scontext=unconfined_u:system_r:apcupsd_t:s0 tcontext=system_u:object_r:snmp_port_t:s0 tclass=udp_socket
If SELinux is enforcing, apcupsd crashes. If SELinux is permissive, it works.
apcupsd.conf contains
UPSCABLE ether UPSTYPE snmp DEVICE 192.168.1.1:161:APC:private
Is there a configuration, Boolean or a policy-writing macro to fix this easily?
mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0) gen_require(` type apcupsd_t; ') corenet_udp_bind_generic_node(apcupsd_t) corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability net_bind_service;" > myapcupsd.te
make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule -i myapcupsd.pp;
consider filing a bugzilla please
Moray. "To err is human; to purr, feline."
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Tue, 2012-12-18 at 17:49 +0100, grift wrote:
On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote:
Hi SELinux
mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0) gen_require(` type apcupsd_t; ') corenet_udp_bind_generic_node(apcupsd_t) corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability net_bind_service;" > myapcupsd.te
make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule -i myapcupsd.pp;
consider filing a bugzilla please
I am adding this upstream (should eventually trickle down):
From 87e5d6d571cb82c3a96159041962c2a9378bc023 Tue, 18 Dec 2012 17:59:34 +0100 From: Dominick Grift dominick.grift@gmail.com Date: Tue, 18 Dec 2012 17:59:18 +0100 Subject: [PATCH] Changes to the apcupsd policy module
Support apcupsd configured for snmp
Signed-off-by: Dominick Grift dominick.grift@gmail.com diff --git a/apcupsd.te b/apcupsd.te index ceb368d..9cd93c5 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -1,4 +1,4 @@ -policy_module(apcupsd, 1.8.3) +policy_module(apcupsd, 1.8.4)
######################################## # @@ -29,7 +29,7 @@ # Local policy #
-allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; +allow apcupsd_t self:capability { dac_override setgid sys_tty_config net_bind_service }; allow apcupsd_t self:process signal; allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; @@ -58,13 +58,20 @@ corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -corenet_tcp_sendrecv_all_ports(apcupsd_t) corenet_tcp_bind_generic_node(apcupsd_t) +corenet_udp_sendrecv_generic_if(apcupsd_t) +corenet_udp_sendrecv_generic_node(apcupsd_t) +corenet_udp_bind_generic_node(apcupsd_t)
corenet_tcp_bind_apcupsd_port(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t) +corenet_sendrecv_snmp_server_packets(apcupsd_t) +corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
files_read_etc_files(apcupsd_t)
-----Original Message----- From: grift [mailto:dominick.grift@gmail.com] Sent: 18 December 2012 17:01
On Tue, 2012-12-18 at 17:49 +0100, grift wrote:
On Tue, 2012-12-18 at 16:37 +0000, Moray Henderson wrote:
Hi SELinux
mkdir myapcupsd; cd myapcupsd; echo "policy_module(myapcupsd, 1.0.0) gen_require(` type apcupsd_t; ') corenet_udp_bind_generic_node(apcupsd_t) corenet_udp_bind_snmp_port(apcupsd_t) allow apcupsd_t self:capability net_bind_service;" > myapcupsd.te
make -f /usr/share/selinux/devel/Makefile myapcupsd.te sudo semodule -i myapcupsd.pp;
consider filing a bugzilla please
I am adding this upstream (should eventually trickle down):
From 87e5d6d571cb82c3a96159041962c2a9378bc023 Tue, 18 Dec 2012 17:59:34 +0100 From: Dominick Grift dominick.grift@gmail.com Date: Tue, 18 Dec 2012 17:59:18 +0100 Subject: [PATCH] Changes to the apcupsd policy module
Support apcupsd configured for snmp
Signed-off-by: Dominick Grift dominick.grift@gmail.com diff --git a/apcupsd.te b/apcupsd.te index ceb368d..9cd93c5 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -1,4 +1,4 @@ -policy_module(apcupsd, 1.8.3) +policy_module(apcupsd, 1.8.4)
######################################## # @@ -29,7 +29,7 @@ # Local policy #
-allow apcupsd_t self:capability { dac_override setgid sys_tty_config }; +allow apcupsd_t self:capability { dac_override setgid sys_tty_config +net_bind_service }; allow apcupsd_t self:process signal; allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; @@ -58,13 +58,20 @@ corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -corenet_tcp_sendrecv_all_ports(apcupsd_t) corenet_tcp_bind_generic_node(apcupsd_t) +corenet_udp_sendrecv_generic_if(apcupsd_t) +corenet_udp_sendrecv_generic_node(apcupsd_t) +corenet_udp_bind_generic_node(apcupsd_t)
corenet_tcp_bind_apcupsd_port(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) +corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t)
+corenet_udp_bind_snmp_port(apcupsd_t) +corenet_sendrecv_snmp_server_packets(apcupsd_t) +corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
files_read_etc_files(apcupsd_t)
Excellent - thanks. It looks as if corenet_udp_bind_snmp_port already allows the capability net_bind_service. Do you still want an RHEL 6 bug logged?
Moray. “To err is human; to purr, feline.”
selinux@lists.fedoraproject.org
-
Dominick Grift -
Moray Henderson