SELinux module to allow snmpd to write to /tmp

gimpy530 · 08-11-2010, 05:58 AM

I am using the "extend" function of snmpd to run a script in order to extend a monitoring platform. This script being ran by snmpd needs to write to a file in /tmp for later parsing, but SELinux is stopping it from writing to the file under /tmp.

The following two lines from my audit.log file show what is happening:

Code:

type=AVC msg=audit(1281516573.123:18422): avc:  denied  { write } for  pid=6933 comm="test2.sh" name="tmp" dev=dm-0 ino=1474561 scontext=root:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

type=SYSCALL msg=audit(1281516573.123:18422): arch=40000003 syscall=5 success=no exit=-13 a0=918aa98 a1=8241 a2=1b6 a3=8241 items=0 ppid=6777 pid=6933 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3064 comm="test2.sh" exe="/bin/bash" subj=root:system_r:snmpd_t:s0 key=(null)

Using information from http://wiki.centos.org/HowTos/SELinux I was able to create a .te file, compile, and load it. With semodule -l I can see it is loaded just fine, however it still blocks snmpd from writing to /tmp. I have gone as far as to reboot after loading the module into SELinux but it still blocks it.

I created the te file using audit2allow. The steps used are at the end of this post, but I tried grepping audit.log for both test2.sh and snmpd then created separate modules, neither work.

Here are the te files I have tried:

grep test2.sh /var/log/audit/audit.log | audit2allow -M allowsnmpdwritetmp

Code:

module allowsnmpdwritetmp 1.0;

require {
        type snmpd_t;
        type tmp_t;
        class dir write;
}

#============= snmpd_t ==============
allow snmpd_t tmp_t:dir write;

grep snmpd /var/log/audit/audit.log | audit2allow -M allowsnmpdwritetmp2

Code:

module allowsnmpdwritetmp2 1.0;

require {
        type initrc_tmp_t;
        type snmpd_t;
        type var_t;
        type tmp_t;
        class dir { write add_name };
        class file { read write getattr append };
}

#============= snmpd_t ==============
allow snmpd_t initrc_tmp_t:file write;
allow snmpd_t tmp_t:dir { write add_name };
allow snmpd_t var_t:file { read getattr append };

egrep 'snmpd|test.sh' /var/log/audit/audit.log | audit2allow -M allowsnmpdwritetmp3

Code:

module allowsnmpdwritetmp3 1.0;

require {
        type initrc_tmp_t;
        type snmpd_t;
        type var_t;
        type tmp_t;
        class dir { write add_name };
        class file { rename write getattr read create unlink append };
}

#============= snmpd_t ==============
allow snmpd_t initrc_tmp_t:file write;
allow snmpd_t tmp_t:dir { write add_name };
allow snmpd_t tmp_t:file create;
allow snmpd_t var_t:file { read rename getattr unlink append };

Lastly, here is how I did everything:

Code:

grep test2.sh /var/log/audit/audit.log | audit2allow -M allowsnmpdwritetmp
checkmodule -M -m -o allowsnmpdwritetmp.mod allowsnmpdwritetmp.te
semodule_package -o allowsnmpdwritetmp.pp -m allowsnmpdwritetmp.mod
semodule -v -i allowsnmpdwritetmp.pp
semodule -l | grep allowsnmpdwritetmp
service snmpd restart
snmpwalk...

Still gives a permission denied when the test2.sh script when ran via an snmpwalk using net-snmp's extend function.

I'm new to SELinux and I don't know where else to look to get this to work. The only other thing I know of is to use setsebool to tell SELinux to let snmpd do whatever it wants, which I cannot do for obvious security concerns.

Any help is appreciated.

CentOS 5.5 x86

Code:

[root@nable-centos-devx64 selinux]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

unSpawn · 08-11-2010, 11:28 AM

Quote:

Originally Posted by gimpy530

with semodule -l I can see it is loaded just fine, however it still blocks snmpd from writing to /tmp. (..) after loading the module into SELinux but it still blocks it. (..) I tried grepping audit.log for both test2.sh and snmpd then created separate modules, neither work. (..) Still gives a permission denied when the test2.sh script when ran via an snmpwalk using net-snmp's extend function.

You've done quite a lot to determine which rules you need to get this temp file writing covered but the AVC messages you post do not correspond at all with the Type Enforcement rules you have created, neither does saying "doesn't work" help us determine what AVC messages still pop up or if there's anything else on another level (which user and group is the test2.sh owned by? Should the source context be root:snmpd_t ? Should the file have certain access rights? Are there any mount flags in play?) that could be keeping your process from running: more info please!

gimpy530 · 08-12-2010, 03:59 AM

I actually just got this to work....once. Then I removed it with semodule to test another SNMP issue. When I added the .pp back in and restarted snmpd just like last time, I still get the permission denied error from the script when ran via snmpd. This confuses me. It was working and now the exact same .pp does not work. I even rebooted after reloading it but it still is causing snmpd to give me a permission denied.

How I got it to work was to clear out audit.log, run an snmpwalk to cause the entires to written to audit.log, then copy this new "snmpd errors only" audit.log to my working dir. With this file did the same steps as in my first post to create a te, mod, and pp but instead of doing a grep and pipe to audit2allow, I simply did 'cat audit.log | audit2allow' (using the audit.log that only had all the snmpd errors). This was to ensure that every that was in audit.log after it blocked snmpd would be given to audit2allow.

The te looks like such now:

Code:

module allowsnmpdwritetmp 1.0;

require {
        type snmpd_t;
        type tmp_t;
        class file write;
        class dir write;
}

#============= snmpd_t ==============
allow snmpd_t tmp_t:dir write;
allow snmpd_t tmp_t:file write;

Remember, this *exact* te worked....once. Now if I go ahead and load the pp that was made from this te I get the permission denied message and the following entries are in the main audit.log:

Code:

type=AVC msg=audit(1281602719.337:473): avc:  denied  { add_name } for  pid=6569 comm="test2.sh" name="foo" scontext=root:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1281602719.337:473): arch=40000003 syscall=5 success=no exit=-13 a0=9aafa98 a1=8241 a2=1b6 a3=8241 items=0 ppid=2491 pid=6569 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="test2.sh" exe="/bin/bash" subj=root:system_r:snmpd_t:s0 key=(null)

So, why would this work once but no longer? Is there anything you see in the new audit.log that is not in the te?

After loading the pp which worked once, I again cleared audit.log, ran an snmpwalk, took the entries that were in this new audit.log, appended that to my earlier audit.log, created a new te, mod, and pp, loading it, restarted snmpd, but yet it still gives a permission denied and the same errors as shown above are in audit.log.

The script is owned by root (user and group), snmpd runs as root, no mount flags (fstab has 'defaults'), there shouldn't be any special access rights to the script which snmpd runs, although in the future perms will be 750. Again, this is my first time working with SELinux so I'm sure I am doing something wrong, I just don't know what.

unSpawn · 08-12-2010, 04:59 PM

Quote:

Originally Posted by gimpy530

Is there anything you see in the new audit.log that is not in the te?

Running your AVC messages through audit2allow gives me "allow snmpd_t tmp_t:dir add_name;".

I could try and see if I can replicate this if you provide the scripts contents and your SNMPd config but please grep only uncommented lines.

gimpy530 · 08-13-2010, 05:39 AM

Here is the information you requested:

snmpd.conf

Code:

rocommunity foo
extend .1.4 test2 /usr/local/bin/test2.sh

/usr/local/bin/test2.sh

Code:

#!/bin/bash

echo "foo" > /tmp/foo

snmpwalk -v 1 -c foo 127.0.0.1 .1.4

unSpawn · 08-14-2010, 03:09 PM

I'm not able to reproduce this on a clean Centos 5.5 with SE Linux enabled and net-snmp and net-snmp-utils. Neither running snmpd nor using "exec" or "extend" returns any audit failures.

gimpy530 · 08-16-2010, 11:47 AM

Did the script create the file under /tmp correctly? You can also view the exit status of this script as it is ran by snmpd with: snmpget -v 1 -c foo 127.0.0.1 .1.4.3.1.4.5.116.101.115.116.50

unSpawn · 08-16-2010, 05:25 PM

Thanks, I got it to work now using stock net-snmp. Using "exec" in snmp.conf and a /tmp/foo.sh BaSH script with octal mode 0755 and context tmp_t. The local policy addition for snmpd contains only two lines:

Code:

allow snmpd_t tmp_t:dir { write add_name };
allow snmpd_t tmp_t:file { read write ioctl create getattr };

Using "extend" in snmp.conf and a /usr/local/bin/foo.sh BaSH script with octal mode 0755 for .1.4 snmpwalk returns a "/usr/local/bin/foo.sh: Exec format error", however there is no change in policy.

gimpy530 · 08-22-2010, 07:08 PM

So you are saying it should be:

Code:

module allowsnmpwritetmp 1.0;

require {
        type snmpd_t;
        type tmp_t;
        class file write;
        class dir { write add_name };
}

#============= snmpd_t ==============
allow snmpd_t tmp_t:dir { write add_name };
allow snmpd_t tmp_t:file { read write ioctl create getattr };

...but that gives me the following errors when I use checkmodule -M -m -o allowsnmpwritetmp.mod allowsnmpwritetmp.te:

Code:

checkmodule:  loading policy configuration from allowsnmpwritetmp.te
(unknown source)::ERROR 'permission read is not defined for class file' at token ';' on line 13:
allow snmpd_t tmp_t:file { read write ioctl create getattr };
allow snmpd_t tmp_t:dir { write add_name };
(unknown source)::ERROR 'permission ioctl is not defined for class file' at token ';' on line 13:
allow snmpd_t tmp_t:file { read write ioctl create getattr };
allow snmpd_t tmp_t:dir { write add_name };
(unknown source)::ERROR 'permission create is not defined for class file' at token ';' on line 13:
allow snmpd_t tmp_t:file { read write ioctl create getattr };
allow snmpd_t tmp_t:dir { write add_name };
(unknown source)::ERROR 'permission getattr is not defined for class file' at token ';' on line 13:
allow snmpd_t tmp_t:file { read write ioctl create getattr };
allow snmpd_t tmp_t:dir { write add_name };
checkmodule:  error(s) encountered while parsing configuration

So it only allows "write". What does this mean?

5mi11er · 02-27-2012, 02:36 PM

I had the same type of problem, but I'm not convinced the OP's problem was that the script was unable to write to the /tmp file. I believe the problem was the script was not granted permissions to execute by the snmp daemon.

What I did to fix my problem on CentOS 6 was this:
chcon -t snmpd_exec_t <script's filename>

I would hope this would also work on CentOS 5...

-Scott