Bug ID 1195061

Bug Tracker
ID 1195061

Bug ID 1195061: Custom MIB fails due to SSL certs access permission denied with SELinux issue

Last Modified: Apr 17, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4

Opened: Nov 24, 2022

Severity: 4-Minor

Symptoms

Custom MIB fails due to SSL certs access permission denied with SELinux is enforced. Following is an example output from BIG-IP shell prompt: config # cat /var/log/auditd/audit.log | grep AVC | tail -1 type=AVC msg=audit(1669275512.299:162416): avc: denied { read } for pid=22102 comm="python" name=":Common:ca-bundle.crt_31207_1" dev="dm-7" ino=239 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:f5filestore_t:s0 tclass=lnk_file [root@c3895546-bigip:Active:Standalone] config #

Impact

Certificate details cannot be checked using custom MIB, that includes certification expiry details.

Conditions

When SSL certificate query is done with custom OID For example: snmpwalk -Os -c public -v 1 localhost .1.3.6.1.4.1.3375.2.100.3

Workaround

Use the following steps: 1) List all the denied policies from audit log Example command: # audit2allow -w -a. Example output: type=AVC msg=audit(1669134295.031:463374): avc: denied { read } for pid=4274 comm="python" name=":Common:f5-ca-bundle.crt_32988_1" dev="dm-7" ino=285 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:f5filestore_t:s0 tclass=lnk_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. 2) List all components that need Linux policy additions Example command: # audit2allow -a. Example output: #============= snmpd_t ============== allow snmpd_t f5config_t:file execute; allow snmpd_t f5filestore_t:lnk_file read; 3) Modify the policy to allow access to the component snmpd_t. Example command: # audit2allow -a -M snmpd_t Example output: ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i snmpd_t.pp 4) Apply the policy. Example command: # semodule -i snmpd_t.pp 5) Verify the policy. Example command: # audit2allow -a Example output: #============= snmpd_t ============== #!!!! This avc is allowed in the current policy allow snmpd_t f5config_t:file execute; #!!!! This avc is allowed in the current policy allow snmpd_t f5filestore_t:lnk_file read;

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips