Have run in to a problem on a couple of servers that I have updated in the last week or so.
snmpd does not start after a reboot, the following log extract is from /var/log/messages on server f4.
Jan 31 17:26:54 f4 acpid: acpid startup succeeded Jan 31 17:26:54 f4 kernel: audit(1138728414.530:2): avc: denied { execmem } fo r pid=5278 comm="snmpd" scontext=user_u:system_r:snmpd_t tcontext=user_u:system _r:snmpd_t tclass=process Jan 31 17:26:54 f4 snmpd: /usr/sbin/snmpd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Per mission denied Jan 31 17:26:54 f4 snmpd: snmpd startup failed
Running execstack -q /usr/lib/libbeecrypt.so.6 gives X /usr/lib/libbeecrypt.so.6
So the library is explisitly marked as requiring an executable stack.
looking at the obvious rpms yields the following
kernel-2.6.12-1.1381_FC3 was kernel-2.6.11-1.14_FC3 net-snmp-5.2.1.2-FC3.1 unchanged net-snmp-libs-5.2.1.2-FC3.1 unchanged selinux-policy-targeted-1.17.30-3.19 was selinux-policy-targeted-1.17.30-2.96 libselinux-1.19.1-8 unchanged beecrypt-3.1.0-6 unchanged
Any suggestions appreciated.
David Rye wrote:
Have run in to a problem on a couple of servers that I have updated in the last week or so.
snmpd does not start after a reboot, the following log extract is from /var/log/messages on server f4.
Jan 31 17:26:54 f4 acpid: acpid startup succeeded Jan 31 17:26:54 f4 kernel: audit(1138728414.530:2): avc: denied { execmem } fo r pid=5278 comm="snmpd" scontext=user_u:system_r:snmpd_t tcontext=user_u:system _r:snmpd_t tclass=process Jan 31 17:26:54 f4 snmpd: /usr/sbin/snmpd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Per mission denied Jan 31 17:26:54 f4 snmpd: snmpd startup failed
Does it work if you execstack -c /usr/lib/libbeecrypt.so.6
Running execstack -q /usr/lib/libbeecrypt.so.6 gives X /usr/lib/libbeecrypt.so.6
So the library is explisitly marked as requiring an executable stack.
looking at the obvious rpms yields the following
kernel-2.6.12-1.1381_FC3 was kernel-2.6.11-1.14_FC3 net-snmp-5.2.1.2-FC3.1 unchanged net-snmp-libs-5.2.1.2-FC3.1 unchanged selinux-policy-targeted-1.17.30-3.19 was selinux-policy-targeted-1.17.30-2.96 libselinux-1.19.1-8 unchanged beecrypt-3.1.0-6 unchanged
Any suggestions appreciated.
Daniel J Walsh wrote:
David Rye wrote:
Have run in to a problem on a couple of servers that I have updated in the last week or so.
snmpd does not start after a reboot, the following log extract is from /var/log/messages on server f4.
Jan 31 17:26:54 f4 acpid: acpid startup succeeded Jan 31 17:26:54 f4 kernel: audit(1138728414.530:2): avc: denied { execmem } fo r pid=5278 comm="snmpd" scontext=user_u:system_r:snmpd_t tcontext=user_u:system _r:snmpd_t tclass=process Jan 31 17:26:54 f4 snmpd: /usr/sbin/snmpd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Per mission denied Jan 31 17:26:54 f4 snmpd: snmpd startup failed
Does it work if you execstack -c /usr/lib/libbeecrypt.so.6
Yes and no.
snmpd starts but the following entery is added to /var/log/messages
Feb 1 18:31:48 workstation1 kernel: audit(1138818708.669:5): avc: denied { search } for pid=3176 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=system_u:object_r:sysctl_dev_t tclass=dir
snmpwalk will then display the mib tree or at any rate most of it.
However while running snmpwalk 9000 additional avc: eneries were added to /var/log/messages.
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:7): avc: denied { signull } for pid=3285 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:8): avc: denied { signull } for pid=3285 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:9): avc: denied { signull } for pid=3285 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:10): avc: denied { signull } for pid=3285 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:11): avc: denied { signull } for pid=3285 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:12): avc: denied { signull } for pid=3285 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:13): avc: denied { signull } for pid=3285 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.932:14): avc: denied { signull } for pid=3285 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=root:system_r:unconfined_t tclass=process
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.956:15): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs ino=1392 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Feb 1 18:37:33 workstation1 kernel: audit(1138819053.962:16): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.000:17): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs ino=1392 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.002:18): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.018:19): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs ino=1392 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.020:20): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.035:21): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs ino=1392 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.055:22): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.071:23): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs ino=1392 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.073:24): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.092:25): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs ino=1392 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.095:26): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.111:27): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=usbfs ino=1392 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usbfs_t tclass=dir
Feb 1 18:37:34 workstation1 kernel: audit(1138819054.111:28): avc: denied { getattr } for pid=3285 comm="snmpd" name="/" dev=hda1 ino=2 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:boot_t tclass=dir
Feb 1 18:37:36 workstation1 kernel: audit(1138819056.112:29): avc: denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2 ino=9895940 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 1 18:37:36 workstation1 kernel: audit(1138819056.135:30): avc: denied { read } for pid=3285 comm="snmpd" name="tmp" dev=hda2 ino=3915910 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usr_t tclass=lnk_file
Feb 1 18:37:36 workstation1 kernel: audit(1138819056.135:31): avc: denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2 ino=4374529 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 1 18:37:42 workstation1 kernel: audit(1138819062.738:32): avc: denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2 ino=9895940 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 1 18:37:42 workstation1 kernel: audit(1138819062.738:33): avc: denied { read } for pid=3285 comm="snmpd" name="tmp" dev=hda2 ino=3915910 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usr_t tclass=lnk_file
Feb 1 18:37:42 workstation1 kernel: audit(1138819062.738:34): avc: denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2 ino=4374529 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 1 18:37:44 workstation1 kernel: audit(1138819063.999:35): avc: denied { getattr } for pid=3285 comm="snmpd" name="tmp" dev=hda2 ino=9895940 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 1 18:37:44 workstation1 kernel: audit(1138819063.999:36): avc: denied { read } for pid=3285 comm="snmpd" name="tmp" dev=hda2 ino=3915910 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:usr_t tclass=lnk_file
------snip another 6000 odd lines all getattr or read on file tmp----
inode 3915910 sym link /usr/tmp to /var/tmp 4374529 /tmp 9895940 /var/tmp
Running execstack -q /usr/lib/libbeecrypt.so.6 gives X /usr/lib/libbeecrypt.so.6
So the library is explisitly marked as requiring an executable stack.
looking at the obvious rpms yields the following
kernel-2.6.12-1.1381_FC3 was kernel-2.6.11-1.14_FC3 net-snmp-5.2.1.2-FC3.1 unchanged net-snmp-libs-5.2.1.2-FC3.1 unchanged selinux-policy-targeted-1.17.30-3.19 was selinux-policy-targeted-1.17.30-2.96 libselinux-1.19.1-8 unchanged beecrypt-3.1.0-6 unchanged
Any suggestions appreciated.
David Rye wrote:
Have run in to a problem on a couple of servers that I have updated in the last week or so.
snmpd does not start after a reboot, the following log extract is from /var/log/messages on server f4.
Jan 31 17:26:54 f4 acpid: acpid startup succeeded Jan 31 17:26:54 f4 kernel: audit(1138728414.530:2): avc: denied { execmem } fo r pid=5278 comm="snmpd" scontext=user_u:system_r:snmpd_t tcontext=user_u:system _r:snmpd_t tclass=process Jan 31 17:26:54 f4 snmpd: /usr/sbin/snmpd: error while loading shared libraries: libbeecrypt.so.6: cannot enable executable stack as shared object requires: Per mission denied Jan 31 17:26:54 f4 snmpd: snmpd startup failed
Running execstack -q /usr/lib/libbeecrypt.so.6 gives X /usr/lib/libbeecrypt.so.6
So the library is explisitly marked as requiring an executable stack.
looking at the obvious rpms yields the following
kernel-2.6.12-1.1381_FC3 was kernel-2.6.11-1.14_FC3 net-snmp-5.2.1.2-FC3.1 unchanged net-snmp-libs-5.2.1.2-FC3.1 unchanged selinux-policy-targeted-1.17.30-3.19 was selinux-policy-targeted-1.17.30-2.96 libselinux-1.19.1-8 unchanged beecrypt-3.1.0-6 unchanged
setenforce 0 service snmpd start setenforce 1
Starts snmpd but logs 3 policy violations
Feb 1 13:54:47 f4 kernel: audit(1138802087.074:6): avc: denied { execmem } for pid=8464 comm="snmpd" scontext=root:system_r:snmpd_t tcontext=root:system_r:snmpd_t tclass=process
Feb 1 13:54:47 f4 kernel: audit(1138802087.099:7): avc: denied { read } for pid=8464 comm="snmpd" name="config" dev=dm-0 ino=13320608 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Feb 1 13:54:47 f4 kernel: audit(1138802087.099:8): avc: denied { getattr } for pid=8464 comm="snmpd" name="config" dev=dm-0 ino=13320608 scontext=root:system_r:snmpd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Note inode 13320608 is /etc/selinux/config
ls -Z /usr/sbin/snmpd -rwxr-xr-x root root system_u:object_r:snmpd_exec_t /usr/sbin/snmpd
Which on my limited understanding looks correct and I think means that snmpd executes with a custom policy indicated by the snmpd_exec_t bit.
Does this mean that there is a bug in the policy for snmpd defined by the rpm selinux-policy-targeted-1.17.30-3.19 ?
On Wed, 2006-02-01 at 18:54 +0000, David Rye wrote:
Which on my limited understanding looks correct and I think means that snmpd executes with a custom policy indicated by the snmpd_exec_t bit.
Does this mean that there is a bug in the policy for snmpd defined by the rpm selinux-policy-targeted-1.17.30-3.19 ?
No, it means that libbeecrypt.so.6 is incorrectly marked by the toolchain as requiring an executable stack. This was corrected in FC4. Use execstack -c to clear the marking to avoid triggering an executable stack there so that you don't have to allow it in policy (which would expose you to risk). The /etc/selinux/config denials are just noise; libselinux always tries to open it from constructor, so any program that happens to link with it triggers attempts there, which are normally silenced in enforcing mode by dontaudit rules.
selinux@lists.fedoraproject.org