[CentOS] snmpd not working well with selinux?

Daniel J Walsh dwalsh at redhat.com
Wed May 30 17:49:56 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/30/2012 01:30 PM, John Horne wrote:
> On Wed, 2012-05-30 at 12:55 -0400, Daniel J Walsh wrote:
>> On 05/30/2012 11:58 AM, John Horne wrote:
>>> On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
>>>> 
>>>> I am trying to use SNMP on a CentOS 6.2 server, and am using the 
>>>> 'pass_persist' configuration command:
>>>> 
>>> Sorry, I should have added that nothing appears to be logged in 
>>> /var/log/audit/audit.log when snmpd fails to return any values. Nor is 
>>> anything about this logged in /var/log/messages by the snmpd daemon.
>>> 
> 
>>> 
>> Turn off dontaudit rules
>> 
>> 
>> #semodule -DB
>> 
>> Then run the command
>> 
>> #semdule -B
>> 
>> Will turn them back on.
>> 
> Hello,
> 
> Many thanks for this. I understood that snmpd was under the control of 
> SELinux, but didn't know about the 'dontaudit' rules.
> 
> The 'snmp-iostat' program, which snmpd/pass_persist calls, reads data from
> a temporary file. The relevant data is then output back to snmpd. The
> temporary file is created via a root cronjob. (I'm not happy with this, but
> at the moment haven't thought of another way to do it.) The file is written
> into '/var/run/net-snmp'.
> 
> When running snmpd again (via 'service') I got the following logged in 
> audit.log:
> 
> ================================================= type=AVC
> msg=audit(1338397396.982:718378): avc:  denied  { read } for pid=3854
> comm="snmp-iostat" name="snmp-iostat" dev=dm-0 ino=524175 
> scontext=unconfined_u:system_r:snmpd_t:s0 
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=SYSCALL
> msg=audit(1338397396.982:718378): arch=c000003e syscall=2 success=no
> exit=-13 a0=938ce0 a1=0 a2=1b6 a3=31bf71dba0 items=0 ppid=27824 pid=3854
> auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=3870 comm="snmp-iostat" exe="/usr/bin/perl"
> subj=unconfined_u:system_r:snmpd_t:s0 key=(null) 
> =================================================
> 
> So it seems that the problem is that 'snmp-iostat' (with the snmpd_t 
> context) does not have read access to the temporary file in 
> '/var/run/net-snmp'. If I change everything to use /tmp instead of
> '/var/run/net-snmp', I get the same error logged. If I change it again to
> use '/etc/snmp' as the location for the temporary file, then it works.
> Since this holds the SNMP config files, snmpd would, of course, require
> read access to the directory.
> 
> So, using '/etc/snmp' to hold a temporary data file works, but again I'm 
> not happy with that as a solution! :-)
> 
> Is there any (reasonably) secure location where snmpd will have read 
> access, and that I could use for holding a temporary file?
> 
> 
> 
> 
> 
> John.
> 

restorecon -R -v /var/run

I think the directory is mislabeled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/GXcQACgkQrlYvE4MpobNPbACePhjRGc+r7kuP0vyE2rDf77eC
UNEAn0Yve5OuHUjxtN95bswzPJDz+CDT
=AlHw
-----END PGP SIGNATURE-----



More information about the CentOS mailing list