[CentOS] snmpd not working well with selinux?

Wed May 30 17:30:48 UTC 2012
John Horne <john.horne at plymouth.ac.uk>

On Wed, 2012-05-30 at 12:55 -0400, Daniel J Walsh wrote:
> On 05/30/2012 11:58 AM, John Horne wrote:
> > On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
> >> 
> >> I am trying to use SNMP on a CentOS 6.2 server, and am using the 
> >> 'pass_persist' configuration command:
> >> 
> > Sorry, I should have added that nothing appears to be logged in
> > /var/log/audit/audit.log when snmpd fails to return any values. Nor is
> > anything about this logged in /var/log/messages by the snmpd daemon.
> > 

> > 
> Turn off dontaudit rules
> 
> 
> #semodule -DB
> 
> Then run the command
> 
> #semdule -B
> 
> Will turn them back on.
>
Hello,

Many thanks for this. I understood that snmpd was under the control of
SELinux, but didn't know about the 'dontaudit' rules.

The 'snmp-iostat' program, which snmpd/pass_persist calls, reads data
from a temporary file. The relevant data is then output back to snmpd.
The temporary file is created via a root cronjob. (I'm not happy with
this, but at the moment haven't thought of another way to do it.) The
file is written into '/var/run/net-snmp'.

When running snmpd again (via 'service') I got the following logged in
audit.log:

=================================================
type=AVC msg=audit(1338397396.982:718378): avc:  denied  { read } for
pid=3854 comm="snmp-iostat" name="snmp-iostat" dev=dm-0 ino=524175
scontext=unconfined_u:system_r:snmpd_t:s0
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1338397396.982:718378): arch=c000003e syscall=2
success=no exit=-13 a0=938ce0 a1=0 a2=1b6 a3=31bf71dba0 items=0
ppid=27824 pid=3854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3870 comm="snmp-iostat"
exe="/usr/bin/perl" subj=unconfined_u:system_r:snmpd_t:s0 key=(null)
=================================================

So it seems that the problem is that 'snmp-iostat' (with the snmpd_t
context) does not have read access to the temporary file in
'/var/run/net-snmp'.
If I change everything to use /tmp instead of '/var/run/net-snmp', I get
the same error logged.
If I change it again to use '/etc/snmp' as the location for the
temporary file, then it works. Since this holds the SNMP config files,
snmpd would, of course, require read access to the directory.

So, using '/etc/snmp' to hold a temporary data file works, but again I'm
not happy with that as a solution! :-)

Is there any (reasonably) secure location where snmpd will have read
access, and that I could use for holding a temporary file?





John.

-- 
John Horne                   Tel: +44 (0)1752 587287
Plymouth University, UK      Fax: +44 (0)1752 587001