SELinux denial when running a script from snmp.conf that needs to create files in the /var/log/ directory
Environment
- Red Hat Enterprise Linux (All Versions)
Issue
- We have a script that is called from snmpd.conf that does several things among which update some file in /var/log/ using sed.
- When this script is called, we get an avc denial
type=AVC msg=audit(1398778095.604:153): avc: denied { create } for pid=5009 comm="sed" name="sednUvBDj" scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
Resolution
- The snmpd process only has access to files in /var/log labeled snmpd_log_t. The fix is to label the the file it needs to access correctly
- If its a single file then change the label on the file it needs to access. If its multiple files, then put these files in the /var/log/snmpd directory
# chcon -t snmpd_log_t /path/to/file
or
# semanage fcontext -a -t snmpd_log_t /path/to/file
# restorecon -R -v /path/to/file
Root Cause
- The snmpd process can write to the following log file types
allow snmpd_t snmpd_log_t: file { ioctl read write create getattr setattr lock append unlink link rename open };
- And which is based on the following file context
# semanage fcontext -l | grep snmpd_log_t
/var/log/snmpd\.log.* regular file system_u:object_r:snmpd_log_t:s0
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments