FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 05-30-2012, 03:52 PM
John Horne
 
Default snmpd not working well with selinux?

Hello,

I am trying to use SNMP on a CentOS 6.2 server, and am using the
'pass_persist' configuration command:

pass_persist .1.3.6.1.4.1.141.1 /usr/local/sbin/snmp-iostat

I have set the file context of 'snmpd_exec_t' on the snmp-iostat
program.

If I disable SELinux, then it all works fine (that is, I can then
snmpget/snmpwalk for OIDs in the configured pass_persist OID, and values
are returned). If I enable SELinux and start the snmpd daemon, as root,
from the command line, then again it all works fine. However, if I
enable SELinux, and startup the SNMP daemon using the 'service' command,
as occurs at system boot, then I get no values returned. I get, for
example:

snmpwalk -v 2c -c public localhost enterprises.141.1.1.10
SNMPv2-SMI::enterprises.141.1.1.10 = No Such Instance currently
exists at this OID

(Yes I am using the enterprise number 141 which doesn't belong to us. I
have applied for a site enterprise number, but heard nothing yet.)

I really don't want to disable SELinux completely, but 'getsebool' shows
no variables relating to SNMP so I am a bit stuck as to how I can get
this to work. I also don't understand why it works with SELinux enabled
when started from the command line, but not when started by the
'service' command. That seems very odd.

Anyone any ideas about this?




Thanks,

John.

--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2012, 03:58 PM
John Horne
 
Default snmpd not working well with selinux?

On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
>
> I am trying to use SNMP on a CentOS 6.2 server, and am using the
> 'pass_persist' configuration command:
>
Sorry, I should have added that nothing appears to be logged
in /var/log/audit/audit.log when snmpd fails to return any values. Nor
is anything about this logged in /var/log/messages by the snmpd daemon.




John.

--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2012, 04:55 PM
Daniel J Walsh
 
Default snmpd not working well with selinux?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/30/2012 11:58 AM, John Horne wrote:
> On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
>>
>> I am trying to use SNMP on a CentOS 6.2 server, and am using the
>> 'pass_persist' configuration command:
>>
> Sorry, I should have added that nothing appears to be logged in
> /var/log/audit/audit.log when snmpd fails to return any values. Nor is
> anything about this logged in /var/log/messages by the snmpd daemon.
>
>
>
>
> John.
>
Turn off dontaudit rules


#semodule -DB

Then run the command

#semdule -B

Will turn them back on.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/GUPIACgkQrlYvE4MpobM8+gCgk6VT4CH3NMnWZ0rKyYwXXA59
dGwAoIgj1TdtvSiRpbznazfyl3NJiyz0
=dlEs
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2012, 05:30 PM
John Horne
 
Default snmpd not working well with selinux?

On Wed, 2012-05-30 at 12:55 -0400, Daniel J Walsh wrote:
> On 05/30/2012 11:58 AM, John Horne wrote:
> > On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
> >>
> >> I am trying to use SNMP on a CentOS 6.2 server, and am using the
> >> 'pass_persist' configuration command:
> >>
> > Sorry, I should have added that nothing appears to be logged in
> > /var/log/audit/audit.log when snmpd fails to return any values. Nor is
> > anything about this logged in /var/log/messages by the snmpd daemon.
> >

> >
> Turn off dontaudit rules
>
>
> #semodule -DB
>
> Then run the command
>
> #semdule -B
>
> Will turn them back on.
>
Hello,

Many thanks for this. I understood that snmpd was under the control of
SELinux, but didn't know about the 'dontaudit' rules.

The 'snmp-iostat' program, which snmpd/pass_persist calls, reads data
from a temporary file. The relevant data is then output back to snmpd.
The temporary file is created via a root cronjob. (I'm not happy with
this, but at the moment haven't thought of another way to do it.) The
file is written into '/var/run/net-snmp'.

When running snmpd again (via 'service') I got the following logged in
audit.log:

=================================================
type=AVC msg=audit(1338397396.982:718378): avc: denied { read } for
pid=3854 comm="snmp-iostat" name="snmp-iostat" dev=dm-0 ino=524175
scontext=unconfined_u:system_r:snmpd_t:s0
tcontext=unconfined_ubject_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1338397396.982:718378): arch=c000003e syscall=2
success=no exit=-13 a0=938ce0 a1=0 a2=1b6 a3=31bf71dba0 items=0
ppid=27824 pid=3854 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=3870 comm="snmp-iostat"
exe="/usr/bin/perl" subj=unconfined_u:system_r:snmpd_t:s0 key=(null)
=================================================

So it seems that the problem is that 'snmp-iostat' (with the snmpd_t
context) does not have read access to the temporary file in
'/var/run/net-snmp'.
If I change everything to use /tmp instead of '/var/run/net-snmp', I get
the same error logged.
If I change it again to use '/etc/snmp' as the location for the
temporary file, then it works. Since this holds the SNMP config files,
snmpd would, of course, require read access to the directory.

So, using '/etc/snmp' to hold a temporary data file works, but again I'm
not happy with that as a solution! :-)

Is there any (reasonably) secure location where snmpd will have read
access, and that I could use for holding a temporary file?





John.

--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2012, 05:49 PM
Daniel J Walsh
 
Default snmpd not working well with selinux?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/30/2012 01:30 PM, John Horne wrote:
> On Wed, 2012-05-30 at 12:55 -0400, Daniel J Walsh wrote:
>> On 05/30/2012 11:58 AM, John Horne wrote:
>>> On Wed, 2012-05-30 at 16:52 +0100, John Horne wrote:
>>>>
>>>> I am trying to use SNMP on a CentOS 6.2 server, and am using the
>>>> 'pass_persist' configuration command:
>>>>
>>> Sorry, I should have added that nothing appears to be logged in
>>> /var/log/audit/audit.log when snmpd fails to return any values. Nor is
>>> anything about this logged in /var/log/messages by the snmpd daemon.
>>>
>
>>>
>> Turn off dontaudit rules
>>
>>
>> #semodule -DB
>>
>> Then run the command
>>
>> #semdule -B
>>
>> Will turn them back on.
>>
> Hello,
>
> Many thanks for this. I understood that snmpd was under the control of
> SELinux, but didn't know about the 'dontaudit' rules.
>
> The 'snmp-iostat' program, which snmpd/pass_persist calls, reads data from
> a temporary file. The relevant data is then output back to snmpd. The
> temporary file is created via a root cronjob. (I'm not happy with this, but
> at the moment haven't thought of another way to do it.) The file is written
> into '/var/run/net-snmp'.
>
> When running snmpd again (via 'service') I got the following logged in
> audit.log:
>
> ================================================= type=AVC
> msg=audit(1338397396.982:718378): avc: denied { read } for pid=3854
> comm="snmp-iostat" name="snmp-iostat" dev=dm-0 ino=524175
> scontext=unconfined_u:system_r:snmpd_t:s0
> tcontext=unconfined_ubject_r:var_run_t:s0 tclass=file type=SYSCALL
> msg=audit(1338397396.982:718378): arch=c000003e syscall=2 success=no
> exit=-13 a0=938ce0 a1=0 a2=1b6 a3=31bf71dba0 items=0 ppid=27824 pid=3854
> auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=3870 comm="snmp-iostat" exe="/usr/bin/perl"
> subj=unconfined_u:system_r:snmpd_t:s0 key=(null)
> =================================================
>
> So it seems that the problem is that 'snmp-iostat' (with the snmpd_t
> context) does not have read access to the temporary file in
> '/var/run/net-snmp'. If I change everything to use /tmp instead of
> '/var/run/net-snmp', I get the same error logged. If I change it again to
> use '/etc/snmp' as the location for the temporary file, then it works.
> Since this holds the SNMP config files, snmpd would, of course, require
> read access to the directory.
>
> So, using '/etc/snmp' to hold a temporary data file works, but again I'm
> not happy with that as a solution! :-)
>
> Is there any (reasonably) secure location where snmpd will have read
> access, and that I could use for holding a temporary file?
>
>
>
>
>
> John.
>

restorecon -R -v /var/run

I think the directory is mislabeled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/GXcQACgkQrlYvE4MpobNPbACePhjRGc+r7kuP0vyE2rDf77eC
UNEAn0Yve5OuHUjxtN95bswzPJDz+CDT
=AlHw
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-30-2012, 07:29 PM
John Horne
 
Default snmpd not working well with selinux?

On Wed, 2012-05-30 at 13:49 -0400, Daniel J Walsh wrote:
>
> restorecon -R -v /var/run
>
> I think the directory is mislabeled.
>
Hello,

Made no difference I'm afraid. Both /var/run and /var/run/net-snmp were
labelled as 'system_ubject_r:var_run_t:s0' before and after the
restorecon.




John.

--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-31-2012, 11:59 AM
John Horne
 
Default snmpd not working well with selinux?

On Wed, 2012-05-30 at 13:49 -0400, Daniel J Walsh wrote:
>
> restorecon -R -v /var/run
>
> I think the directory is mislabeled.
>
Hello,

It looks like it is mislabelled by default. If I set the context of
'/var/run/net-snmp' to 'snmpd_var_run_t' then the use of pass_persist
works fine.

I'll submit this as a bug for your consideration.




John.

--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-31-2012, 12:43 PM
Daniel J Walsh
 
Default snmpd not working well with selinux?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/31/2012 07:59 AM, John Horne wrote:
> On Wed, 2012-05-30 at 13:49 -0400, Daniel J Walsh wrote:
>>
>> restorecon -R -v /var/run
>>
>> I think the directory is mislabeled.
>>
> Hello,
>
> It looks like it is mislabelled by default. If I set the context of
> '/var/run/net-snmp' to 'snmpd_var_run_t' then the use of pass_persist
> works fine.
>
> I'll submit this as a bug for your consideration.
>
>
>
>
> John.
>
Ok in Fedora we have /var/run/net-snmpd, is /var/run/net-snmp a standard
directory for this?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/HZ38ACgkQrlYvE4MpobOT8gCfR2NMFHfS1TNv2v1hKm4yMnxm
m2cAniP19fDy6HYLcTSZPh4uTjqBI72e
=ChFY
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-31-2012, 12:43 PM
Daniel J Walsh
 
Default snmpd not working well with selinux?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/31/2012 07:59 AM, John Horne wrote:

Ok in Fedora we have /var/run/net-snmpd, is /var/run/net-snmp a standard
directory for this?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/HZ34ACgkQrlYvE4MpobOA+ACfV1A5A+Rj1mh6r8vxdlx6UNQ9
PVUAn2Vj0mB3zfSTBAFW9+Ow2x4hfwr1
=K2oh
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 05-31-2012, 12:51 PM
John Horne
 
Default snmpd not working well with selinux?

On Thu, 2012-05-31 at 08:43 -0400, Daniel J Walsh wrote:
> >
> Ok in Fedora we have /var/run/net-snmpd, is /var/run/net-snmp a standard
> directory for this?
>
Hello,

What I have is:

Fedora 15:
=================================
ls -ldZ /var/run/net-snmp
drwxr-xr-x. root root system_ubject_r:var_run_t:s0 /var/run/net-snmp

rpm -qf /var/run/net-snmp
net-snmp-5.6.1-7.fc15.x86_64
=================================

RHEL 6.2/CentOS 6.2:
=================================
ls -ldZ /var/run/net-snmp
drwxr-xr-x. root root system_ubject_r:var_run_t:s0 /var/run/net-snmp

rpm -qf /var/run/net-snmp
net-snmp-5.5-37.el6_2.1.x86_64
=================================


So '/var/run/net-snmpd' must have come in at a later date than F15.



John.

--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org