Hello,
I am trying to use SNMP on a CentOS 6.2 server, and am using the 'pass_persist' configuration command:
pass_persist .1.3.6.1.4.1.141.1 /usr/local/sbin/snmp-iostat
I have set the file context of 'snmpd_exec_t' on the snmp-iostat program.
If I disable SELinux, then it all works fine (that is, I can then snmpget/snmpwalk for OIDs in the configured pass_persist OID, and values are returned). If I enable SELinux and start the snmpd daemon, as root, from the command line, then again it all works fine. However, if I enable SELinux, and startup the SNMP daemon using the 'service' command, as occurs at system boot, then I get no values returned. I get, for example:
snmpwalk -v 2c -c public localhost enterprises.141.1.1.10 SNMPv2-SMI::enterprises.141.1.1.10 = No Such Instance currently exists at this OID
(Yes I am using the enterprise number 141 which doesn't belong to us. I have applied for a site enterprise number, but heard nothing yet.)
I really don't want to disable SELinux completely, but 'getsebool' shows no variables relating to SNMP so I am a bit stuck as to how I can get this to work. I also don't understand why it works with SELinux enabled when started from the command line, but not when started by the 'service' command. That seems very odd.
Anyone any ideas about this?
Thanks,
John.
On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
I am trying to use SNMP on a CentOS 6.2 server, and am using the 'pass_persist' configuration command:
Sorry, I should have added that nothing appears to be logged in /var/log/audit/audit.log when snmpd fails to return any values. Nor is anything about this logged in /var/log/messages by the snmpd daemon.
John.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/30/2012 11:58 AM, John Horne wrote:
On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
I am trying to use SNMP on a CentOS 6.2 server, and am using the 'pass_persist' configuration command:
Sorry, I should have added that nothing appears to be logged in /var/log/audit/audit.log when snmpd fails to return any values. Nor is anything about this logged in /var/log/messages by the snmpd daemon.
John.
Turn off dontaudit rules
#semodule -DB
Then run the command
#semdule -B
Will turn them back on.
On Wed, 2012-05-30 at 12:55 -0400, Daniel J Walsh wrote:
On 05/30/2012 11:58 AM, John Horne wrote:
On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
I am trying to use SNMP on a CentOS 6.2 server, and am using the 'pass_persist' configuration command:
Sorry, I should have added that nothing appears to be logged in /var/log/audit/audit.log when snmpd fails to return any values. Nor is anything about this logged in /var/log/messages by the snmpd daemon.
Turn off dontaudit rules
#semodule -DB
Then run the command
#semdule -B
Will turn them back on.
Hello,
Many thanks for this. I understood that snmpd was under the control of SELinux, but didn't know about the 'dontaudit' rules.
The 'snmp-iostat' program, which snmpd/pass_persist calls, reads data from a temporary file. The relevant data is then output back to snmpd. The temporary file is created via a root cronjob. (I'm not happy with this, but at the moment haven't thought of another way to do it.) The file is written into '/var/run/net-snmp'.
When running snmpd again (via 'service') I got the following logged in audit.log:
================================================= type=AVC msg=audit(1338397396.982:718378): avc: denied { read } for pid=3854 comm="snmp-iostat" name="snmp-iostat" dev=dm-0 ino=524175 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1338397396.982:718378): arch=c000003e syscall=2 success=no exit=-13 a0=938ce0 a1=0 a2=1b6 a3=31bf71dba0 items=0 ppid=27824 pid=3854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3870 comm="snmp-iostat" exe="/usr/bin/perl" subj=unconfined_u:system_r:snmpd_t:s0 key=(null) =================================================
So it seems that the problem is that 'snmp-iostat' (with the snmpd_t context) does not have read access to the temporary file in '/var/run/net-snmp'. If I change everything to use /tmp instead of '/var/run/net-snmp', I get the same error logged. If I change it again to use '/etc/snmp' as the location for the temporary file, then it works. Since this holds the SNMP config files, snmpd would, of course, require read access to the directory.
So, using '/etc/snmp' to hold a temporary data file works, but again I'm not happy with that as a solution! :-)
Is there any (reasonably) secure location where snmpd will have read access, and that I could use for holding a temporary file?
John.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/30/2012 01:30 PM, John Horne wrote:
On Wed, 2012-05-30 at 12:55 -0400, Daniel J Walsh wrote:
On 05/30/2012 11:58 AM, John Horne wrote:
On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
I am trying to use SNMP on a CentOS 6.2 server, and am using the 'pass_persist' configuration command:
Sorry, I should have added that nothing appears to be logged in /var/log/audit/audit.log when snmpd fails to return any values. Nor is anything about this logged in /var/log/messages by the snmpd daemon.
Turn off dontaudit rules
#semodule -DB
Then run the command
#semdule -B
Will turn them back on.
Hello,
Many thanks for this. I understood that snmpd was under the control of SELinux, but didn't know about the 'dontaudit' rules.
The 'snmp-iostat' program, which snmpd/pass_persist calls, reads data from a temporary file. The relevant data is then output back to snmpd. The temporary file is created via a root cronjob. (I'm not happy with this, but at the moment haven't thought of another way to do it.) The file is written into '/var/run/net-snmp'.
When running snmpd again (via 'service') I got the following logged in audit.log:
================================================= type=AVC msg=audit(1338397396.982:718378): avc: denied { read } for pid=3854 comm="snmp-iostat" name="snmp-iostat" dev=dm-0 ino=524175 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=SYSCALL msg=audit(1338397396.982:718378): arch=c000003e syscall=2 success=no exit=-13 a0=938ce0 a1=0 a2=1b6 a3=31bf71dba0 items=0 ppid=27824 pid=3854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3870 comm="snmp-iostat" exe="/usr/bin/perl" subj=unconfined_u:system_r:snmpd_t:s0 key=(null) =================================================
So it seems that the problem is that 'snmp-iostat' (with the snmpd_t context) does not have read access to the temporary file in '/var/run/net-snmp'. If I change everything to use /tmp instead of '/var/run/net-snmp', I get the same error logged. If I change it again to use '/etc/snmp' as the location for the temporary file, then it works. Since this holds the SNMP config files, snmpd would, of course, require read access to the directory.
So, using '/etc/snmp' to hold a temporary data file works, but again I'm not happy with that as a solution! :-)
Is there any (reasonably) secure location where snmpd will have read access, and that I could use for holding a temporary file?
John.
restorecon -R -v /var/run
I think the directory is mislabeled.
On Wed, 2012-05-30 at 13:49 -0400, Daniel J Walsh wrote:
restorecon -R -v /var/run
I think the directory is mislabeled.
Hello,
Made no difference I'm afraid. Both /var/run and /var/run/net-snmp were labelled as 'system_u:object_r:var_run_t:s0' before and after the restorecon.
John.
On Wed, 2012-05-30 at 13:49 -0400, Daniel J Walsh wrote:
restorecon -R -v /var/run
I think the directory is mislabeled.
Hello,
It looks like it is mislabelled by default. If I set the context of '/var/run/net-snmp' to 'snmpd_var_run_t' then the use of pass_persist works fine.
I'll submit this as a bug for your consideration.
John.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/31/2012 07:59 AM, John Horne wrote:
On Wed, 2012-05-30 at 13:49 -0400, Daniel J Walsh wrote:
restorecon -R -v /var/run
I think the directory is mislabeled.
Hello,
It looks like it is mislabelled by default. If I set the context of '/var/run/net-snmp' to 'snmpd_var_run_t' then the use of pass_persist works fine.
I'll submit this as a bug for your consideration.
John.
Ok in Fedora we have /var/run/net-snmpd, is /var/run/net-snmp a standard directory for this?
On Thu, 2012-05-31 at 08:43 -0400, Daniel J Walsh wrote:
Ok in Fedora we have /var/run/net-snmpd, is /var/run/net-snmp a standard directory for this?
Hello,
What I have is:
Fedora 15: ================================= ls -ldZ /var/run/net-snmp drwxr-xr-x. root root system_u:object_r:var_run_t:s0 /var/run/net-snmp
rpm -qf /var/run/net-snmp net-snmp-5.6.1-7.fc15.x86_64 =================================
RHEL 6.2/CentOS 6.2: ================================= ls -ldZ /var/run/net-snmp drwxr-xr-x. root root system_u:object_r:var_run_t:s0 /var/run/net-snmp
rpm -qf /var/run/net-snmp net-snmp-5.5-37.el6_2.1.x86_64 =================================
So '/var/run/net-snmpd' must have come in at a later date than F15.
John.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/31/2012 08:51 AM, John Horne wrote:
On Thu, 2012-05-31 at 08:43 -0400, Daniel J Walsh wrote:
Ok in Fedora we have /var/run/net-snmpd, is /var/run/net-snmp a standard directory for this?
Hello,
What I have is:
Fedora 15: ================================= ls -ldZ /var/run/net-snmp drwxr-xr-x. root root system_u:object_r:var_run_t:s0 /var/run/net-snmp
rpm -qf /var/run/net-snmp net-snmp-5.6.1-7.fc15.x86_64
RHEL 6.2/CentOS 6.2: ================================= ls -ldZ /var/run/net-snmp drwxr-xr-x. root root system_u:object_r:var_run_t:s0 /var/run/net-snmp
rpm -qf /var/run/net-snmp net-snmp-5.5-37.el6_2.1.x86_64
So '/var/run/net-snmpd' must have come in at a later date than F15.
John.
It looks like /var/run/net-snmp is correct, I will fix our policy and get it into RHEL6.4
For now you can set the label using semanage.
On Thu, 2012-05-31 at 09:29 -0400, Daniel J Walsh wrote:
It looks like /var/run/net-snmp is correct, I will fix our policy and get it into RHEL6.4
Hello,
I received a reply via Miroslav Grepl that this is already fixed. The bug report is https://bugzilla.redhat.com/show_bug.cgi?id=822480
It seems that '/var/lib/net-snmp' should be used. I have tested my use of pass_persist and it does work when using '/var/lib/net-snmp'.
John.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/31/2012 07:59 AM, John Horne wrote:
Ok in Fedora we have /var/run/net-snmpd, is /var/run/net-snmp a standard directory for this?