[CentOS] snmpd not working well with selinux?
Daniel J Walsh
dwalsh at redhat.com
Wed May 30 17:49:56 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/30/2012 01:30 PM, John Horne wrote:
> On Wed, 2012-05-30 at 12:55 -0400, Daniel J Walsh wrote:
>> On 05/30/2012 11:58 AM, John Horne wrote:
>>> On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
>>>>
>>>> I am trying to use SNMP on a CentOS 6.2 server, and am using the
>>>> 'pass_persist' configuration command:
>>>>
>>> Sorry, I should have added that nothing appears to be logged in
>>> /var/log/audit/audit.log when snmpd fails to return any values. Nor is
>>> anything about this logged in /var/log/messages by the snmpd daemon.
>>>
>
>>>
>> Turn off dontaudit rules
>>
>>
>> #semodule -DB
>>
>> Then run the command
>>
>> #semdule -B
>>
>> Will turn them back on.
>>
> Hello,
>
> Many thanks for this. I understood that snmpd was under the control of
> SELinux, but didn't know about the 'dontaudit' rules.
>
> The 'snmp-iostat' program, which snmpd/pass_persist calls, reads data from
> a temporary file. The relevant data is then output back to snmpd. The
> temporary file is created via a root cronjob. (I'm not happy with this, but
> at the moment haven't thought of another way to do it.) The file is written
> into '/var/run/net-snmp'.
>
> When running snmpd again (via 'service') I got the following logged in
> audit.log:
>
> ================================================= type=AVC
> msg=audit(1338397396.982:718378): avc: denied { read } for pid=3854
> comm="snmp-iostat" name="snmp-iostat" dev=dm-0 ino=524175
> scontext=unconfined_u:system_r:snmpd_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=SYSCALL
> msg=audit(1338397396.982:718378): arch=c000003e syscall=2 success=no
> exit=-13 a0=938ce0 a1=0 a2=1b6 a3=31bf71dba0 items=0 ppid=27824 pid=3854
> auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=3870 comm="snmp-iostat" exe="/usr/bin/perl"
> subj=unconfined_u:system_r:snmpd_t:s0 key=(null)
> =================================================
>
> So it seems that the problem is that 'snmp-iostat' (with the snmpd_t
> context) does not have read access to the temporary file in
> '/var/run/net-snmp'. If I change everything to use /tmp instead of
> '/var/run/net-snmp', I get the same error logged. If I change it again to
> use '/etc/snmp' as the location for the temporary file, then it works.
> Since this holds the SNMP config files, snmpd would, of course, require
> read access to the directory.
>
> So, using '/etc/snmp' to hold a temporary data file works, but again I'm
> not happy with that as a solution! :-)
>
> Is there any (reasonably) secure location where snmpd will have read
> access, and that I could use for holding a temporary file?
>
>
>
>
>
> John.
>
restorecon -R -v /var/run
I think the directory is mislabeled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/GXcQACgkQrlYvE4MpobNPbACePhjRGc+r7kuP0vyE2rDf77eC
UNEAn0Yve5OuHUjxtN95bswzPJDz+CDT
=AlHw
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list