Allow snmp to read all proc_type

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 34c68970094f89f2392eb326cbc312aa3caa8245..3bfb1f87016647b63840630cae2d19fcd2930f7b 100644 (file)
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1457,6 +1457,24 @@ interface(`kernel_dontaudit_list_all_proc',`
        dontaudit $1 proc_type:file getattr;
 ')
 
+########################################
+## <summary>
+##     Allow attempts to read all proc types.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`kernel_read_all_proc',`
+       gen_require(`
+               attribute proc_type;
+       ')
+
+       read_files_pattern($1, proc_type, proc_type)
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts by caller to search

diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 9c747d4abadf9f8474564bacca999d4c6b9f2a0a..1d22eed987ad9c11ea1b62fd9bf9a3c1379f0496 100644 (file)
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -55,8 +55,7 @@ kernel_read_kernel_sysctls(snmpd_t)
 kernel_read_fs_sysctls(snmpd_t)
 kernel_read_net_sysctls(snmpd_t)
 kernel_read_proc_symlinks(snmpd_t)
-kernel_read_system_state(snmpd_t)
-kernel_read_network_state(snmpd_t)
+kernel_read_all_proc(snmpd_t)
 
 corecmd_exec_bin(snmpd_t)
 corecmd_exec_shell(snmpd_t)