Unable to create selinux policy to allow drbdadm to run

Question

In snmpd.conf I have

exec drbd_cstate /sbin/drbdadm cstate all
exec drbd_role /sbin/drbdadm role all
exec drbd_state /sbin/drbdadm dstate all

With selinux set to permissive if I were to run the SNMP walk command (/usr/bin/snmpwalk -v 2c -c PUBLIC 192.168.1.10 'NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate"'.1) and I got in the log:

type=AVC msg=audit(1619795855.717:214829): avc:  denied  { read } for  pid=30859 comm="drbdadm" name="node_id" dev="dm-0" ino=2360185 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:drbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619795855.717:214829): avc:  denied  { open } for  pid=30859 comm="drbdadm" path="/var/lib/drbd/node_id" dev="dm-0" ino=2360185 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:drbd_var_lib_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1619795855.717:214829): arch=c000003e syscall=2 success=yes exit=4 a0=42eee0 a1=0 a2=1 a3=7fff53710560 items=0 ppid=27329 pid=30859 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdadm" exe="/usr/sbin/drbdadm" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.717:214829): proctitle=2F7362696E2F6472626461646D0063737461746500616C6C
type=AVC msg=audit(1619795855.719:214830): avc:  denied  { create } for  pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.719:214830): arch=c000003e syscall=41 success=yes exit=4 a0=10 a1=2 a2=10 a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.719:214830): proctitle=2F7362696E2F647262647365747570006373746174650072300031
type=AVC msg=audit(1619795855.720:214831): avc:  denied  { setopt } for  pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.720:214831): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=1 a2=7 a3=7ffe12bd3a3c items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.720:214831): proctitle=2F7362696E2F647262647365747570006373746174650072300031
type=AVC msg=audit(1619795855.720:214832): avc:  denied  { bind } for  pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.720:214832): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=21dd030 a2=c a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.720:214832): proctitle=2F7362696E2F647262647365747570006373746174650072300031
type=AVC msg=audit(1619795855.720:214833): avc:  denied  { getattr } for  pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.720:214833): arch=c000003e syscall=51 success=yes exit=0 a0=4 a1=21dd030 a2=7ffe12bd3a38 a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.720:214833): proctitle=2F7362696E2F647262647365747570006373746174650072300031

When doing the snmpwalk the error I got back was NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate".1 = STRING: Creation of /var/lib/drbd/node_id failed: Permission denied

I used audit2allow to help create a policy for selinux so that it would allow me to run this command. The policy that it gave me was

module drbd_cstate 1.0;

require {
        type drbd_var_lib_t;
        type snmpd_t;
        class netlink_socket { bind create getattr setopt };
        class file { open read };
}

#============= snmpd_t ==============
allow snmpd_t drbd_var_lib_t:file { open read };
allow snmpd_t self:netlink_socket { bind create getattr setopt };

Once I added my newly created module and I ran snmpwalk I got back

NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate".1 = STRING: <1>failed to send netlink message

Doing a tail -f /var/log/audit/audit.log does not come back with anything. If at the time that I am doing the snmpwalk I do a tcpdump I see this going over the network Could not connect to 'drbd' generic netlink family in one packet and then <1>failed to send netlink message. If I then do setenforce=permissive everything magically works again. What am I doing wrong?

Answer 1

I solve this with the following module :

module drbd_cstate 1.0;
require {
        type drbd_var_lib_t;
        type snmpd_t;
        class netlink_socket { create setopt bind getattr write read };
        class file { open read write };
}

#============= snmpd_t ==============
allow snmpd_t drbd_var_lib_t:file { open read write };
allow snmpd_t self:netlink_socket { bind create getattr setopt write open };

thanks mricon for the semanage dontaudit off trick