-
Bug
-
Resolution: Unresolved
-
Major
-
dirsrv-11.5
Description of problem:
The RHDS SNMP agent fails to start with selinux SELinux errors
There are several SELinux definitions that are missing
Version-Release number of selected component (if applicable):
RHDS-11.5 on RHEL-8.6
How reproducible:
on demand
Steps to Reproduce:
1. Have RHDS-11.5 installed and an instance running with some data
2. for the admin guide to start the SNMP configuration
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/monitoring_ds_using_snmp#doc-wrapper
21.10. Monitoring Directory Server Using SNMP
21.10.4. Setting up an SNMP Agent for Directory Server
An RHDS instance is running:
dsctl m1 status
Instance "m1" is running
SNMP is configured:
systemctl start snmpd
ps ax | egrep "snmp|agent"
35799 ? Ss 0:00 /usr/sbin/snmpd -LS0-6d -f
3. 21.10.4. Setting up an SNMP Agent for Directory Server
Start the dirsrv-snmp service:
Actual results:
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#
Expected results:
yes
see "solution" at the end of "Additional Information"
Additional info:
RHDS-11.5 RHEL-8.6
cat /etc/redhat-release ; uname -a ; rpm -q nss nspr 389-ds-base redhat-ds sssd
Red Hat Enterprise Linux release 8.6 (Ootpa)
Linux m1.example.test 4.18.0-372.9.1.el8.x86_64 #1 SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux
nss-3.67.0-7.el8_5.x86_64
nspr-4.32.0-1.el8_4.x86_64
389-ds-base-1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
package redhat-ds is not installed
sssd-2.6.2-3.el8.x86_64
[root@m1 ~]#
yum module info redhat-ds:11 | less
...
Name : redhat-ds
Stream : 11 [d][e][a]
Version : 8060020220328133644
Context : fd2afb17
Architecture : x86_64
Profiles : default [d] [i], legacy, minimal
Default profiles : default
Repo : dirsrv-11-for-rhel-8-x86_64-rpms
Summary : Red Hat Directory Server 11.5
Description : The Red Hat Directory Server is an LDAPv3 compliant server.
Requires : platform:[el8]
Artifacts : 389-ds-base-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.src
: 389-ds-base-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: 389-ds-base-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: 389-ds-base-debugsource-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: 389-ds-base-devel-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: 389-ds-base-legacy-tools-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: 389-ds-base-legacy-tools-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: 389-ds-base-libs-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: 389-ds-base-libs-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: 389-ds-base-snmp-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: 389-ds-base-snmp-debuginfo-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.x86_64
: cockpit-389-ds-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.noarch
: python3-lib389-0:1.4.3.29-3.module+el8dsrv+14615+a86efbbf.noarch
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled, [a]ctive
(END)
...
systemctl start dirsrv-snmp
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#
ps ax | egrep "snmp|agent"
35799 ? Ss 0:00 /usr/sbin/snmpd -LS0-6d -f
[root@m1 ~]#
snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB | grep -i rhds
->
nothing
less /var/log/messages
...
Oct 3 19:04:36 m1 setroubleshoot[57601]: SELinux is preventing /usr/sbin/snmpd from sys_ptrace access on the cap_userns labeled snmpd_t. For complete SELinux messages run: sealert -l d5ce697b-7ad1-41e8-8c69-0320ed90c703
Oct 3 19:04:36 m1 setroubleshoot[57601]: SELinux is preventing /usr/sbin/snmpd from sys_ptrace access on the cap_userns labeled snmpd_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that snmpd should be allowed sys_ptrace access on cap_userns labeled snmpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'snmpd' --raw | audit2allow -M my-snmpd#012# semodule -X 300 -i my-snmpd.pp#012
(END)
sealert -l d5ce697b-7ad1-41e8-8c69-0320ed90c703
SELinux is preventing /usr/sbin/snmpd from sys_ptrace access on the cap_userns labeled snmpd_t.
-
-
-
-
- Plugin catchall (100. confidence) suggests **************************
-
-
-
If you believe that snmpd should be allowed sys_ptrace access on cap_userns labeled snmpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
- ausearch -c 'snmpd' --raw | audit2allow -M my-snmpd
MPORTANT ***********************
To make this policy package active, execute:
semodule -i my-snmpd.pp
[root@m1 ~]#
semodule -X 300 -i my-snmpd.pp
Source Context system_u:system_r:snmpd_t:s0
Target Context system_u:system_r:snmpd_t:s0
Target Objects Unknown [ cap_userns ]
Source snmpd
Source Path /usr/sbin/snmpd
Port <Unknown>
Host m1.example.test
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-95.el8.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-95.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name m1.example.test
Platform Linux m1.example.test 4.18.0-372.9.1.el8.x86_64 #1
SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64
Alert Count 745
First Seen 2022-10-03 18:58:32 GMT
Last Seen 2022-10-03 19:03:40 GMT
Local ID d5ce697b-7ad1-41e8-8c69-0320ed90c703
Raw Audit Messages
type=AVC msg=audit(1664823820.832:970): avc: denied
for pid=35799 comm="snmpd" capability=19 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=cap_userns permissive=0
Hash: snmpd,snmpd_t,snmpd_t,cap_userns,sys_ptrace
[root@m1 ~]#
->
ausearch -c 'snmpd' --raw | audit2allow -M my-snmpd
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-snmpd.pp
[root@m1 ~]#
- IMPORTANT ***********************
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
semodule -X 300 -i my-snmpd.pp
systemctl start dirsrv-snmp
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#
journalctl -xe
Oct 03 19:14:11 m1.example.test systemd[1]: Starting 389 Directory Server SNMP Subagent....
– Subject: Unit dirsrv-snmp.service has begun start-up
– Defined-By: systemd
– Support: https://access.redhat.com/support
–
-- Unit dirsrv-snmp.service has begun starting up.
Oct 03 19:14:11 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.211' (uid=0 pid=851 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using service>
Oct 03 19:14:11 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 03 19:14:13 m1.example.test setroubleshoot[60443]: Deleting alert d5ce697b-7ad1-41e8-8c69-0320ed90c703, it is allowed in current policy
Oct 03 19:14:13 m1.example.test setroubleshoot[60443]: AnalyzeThread.run(): Cancel pending alarm
Oct 03 19:14:13 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.543' (uid=991 pid=60443 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="syst>
Oct 03 19:14:13 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Oct 03 19:14:14 m1.example.test setroubleshoot[60443]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability. For complete SELinux messages run: sealert -l de96bd1a-58ba-47a9-b2a6-8afe1dd995fb
Oct 03 19:14:14 m1.example.test setroubleshoot[60443]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability.
-
-
-
-
- Plugin dac_override (91.4 confidence) suggests **********************
-
-
-
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do
Turn on full auditing
- auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute - ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
-
-
-
-
- Plugin catchall (9.59 confidence) suggests **************************
-
-
-
If you believe that ldap-agent should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
- ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
- semodule -X 300 -i my-ldapagent.pp
Oct 03 19:14:14 m1.example.test setroubleshoot[60443]: AnalyzeThread.run(): Set alarm timeout to 10
Oct 03 19:14:16 m1.example.test setroubleshoot[60443]: AnalyzeThread.run(): Cancel pending alarm
...
– Unit dirsrv-snmp.service has failed.
–
-- The result is failed.
lines 3659-3684/3684 (END)
ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IMPORTANT ***********************
To make this policy package active, execute:
- IMPORTANT ***********************
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
semodule -i my-ldapagent.pp
[root@m1 ~]#
semodule -X 300 -i my-ldapagent.pp
systemctl start dirsrv-snmp
Job for dirsrv-snmp.service failed because the control process exited with error code.
See "systemctl status dirsrv-snmp.service" and "journalctl -xe" for details.
[root@m1 ~]#
Oct 03 19:20:11 m1.example.test systemd[1]: Starting 389 Directory Server SNMP Subagent....
– Subject: Unit dirsrv-snmp.service has begun start-up
– Defined-By: systemd
– Support: https://access.redhat.com/support
–
-- Unit dirsrv-snmp.service has begun starting up.
Oct 03 19:20:14 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.211' (uid=0 pid=851 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using service>
Oct 03 19:20:14 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Oct 03 19:20:15 m1.example.test setroubleshoot[62262]: AnalyzeThread.run(): Cancel pending alarm
Oct 03 19:20:16 m1.example.test dbus-daemon[893]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.551' (uid=991 pid=62262 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="syst>
Oct 03 19:20:16 m1.example.test dbus-daemon[893]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Oct 03 19:20:16 m1.example.test setroubleshoot[62262]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability. For complete SELinux messages run: sealert -l de96bd1a-58ba-47a9-b2a6-8afe1dd995fb
Oct 03 19:20:16 m1.example.test setroubleshoot[62262]: SELinux is preventing /usr/sbin/ldap-agent from using the dac_override capability.
-
-
-
-
- Plugin dac_override (91.4 confidence) suggests **********************
-
-
-
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do
Turn on full auditing
- auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute - ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.
-
-
-
-
- Plugin catchall (9.59 confidence) suggests **************************
-
-
-
If you believe that ldap-agent should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
- ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
- semodule -X 300 -i my-ldapagent.pp
Oct 03 19:20:16 m1.example.test setroubleshoot[62262]: AnalyzeThread.run(): Set alarm timeout to 10
Oct 03 19:20:25 m1.example.test setroubleshoot[62262]: AnalyzeThread.run(): Cancel pending alarm
ausearch -c 'ldap-agent' --raw | audit2allow -M my-ldapagent
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IMPORTANT ***********************
To make this policy package active, execute:
- IMPORTANT ***********************
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
semodule -i my-ldapagent.pp
[root@m1 ~]#
semodule -X 300 -i my-ldapagent.pp
systemctl start dirsrv-snmp
FAILs
snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB | grep -i rhds
nothing
solution:
add some missing SELinux configuration:
cat << EOF > ~/rhds_snmp_selinux.te
module rhds_snmp_selinux 1.0;
require {
type dirsrv_t;
type kernel_t;
type dirsrv_tmpfs_t;
type dirsrv_var_run_t;
type dirsrv_snmp_t;
class file map;
class dir write;
class file
;
class dir add_name;
class capability dac_override;
class system module_request;
}
#============= dirsrv_snmp_t ==============
allow dirsrv_snmp_t dirsrv_var_run_t:dir write;
allow dirsrv_snmp_t dirsrv_var_run_t:dir add_name;
allow dirsrv_snmp_t dirsrv_var_run_t:file map;
allow dirsrv_snmp_t dirsrv_var_run_t:file create;
allow dirsrv_snmp_t dirsrv_var_run_t:file
;
allow dirsrv_snmp_t dirsrv_var_run_t:file write;
allow dirsrv_snmp_t self:capability dac_override;
allow dirsrv_t kernel_t:system module_request;
EOF
checkmodule -M -m -o ~/rhds_snmp_selinux.mod ~/rhds_snmp_selinux.te
semodule_package -o ~/rhds_snmp_selinux.pp -m ~/rhds_snmp_selinux.mod
semodule -i ~/rhds_snmp_selinux.pp
systemctl start dirsrv-snmp
[root@m1 ~]#
ps ax | egrep "snmp|agent|dirsrv"
1351 ? Ssl 0:19 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-m1 -i /run/dirsrv/slapd-m1.pid
35799 ? Ss 0:04 /usr/sbin/snmpd -LS0-6d -f
65752 ? S 0:00 /usr/sbin/ldap-agent /etc/dirsrv/config/ldap-agent.conf
[root@m1 ~]#
snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB | grep -i rhds
HOST-RESOURCES-MIB::hrSWRunParameters.66350 = STRING: "--color=auto -i rhds"
snmpwalk -v3 localhost -l AuthPriv -u snmpuser -A password -a SHA -X password -x AES -M /usr/share/snmp/mibs:/usr/share/dirsrv/mibs/ -m +RHDS-MIB .1.3.6.1.4.1.2312.6 | less
RHDS-MIB::dsAnonymousBinds.389 = Counter64: 0
RHDS-MIB::dsUnAuthBinds.389 = Counter64: 0
...snip...
