For When You Can't Have The Real Thing
[ start | index | login ]
start > seLinux > Fix Problems

Fix Problems

Created by dave. Last edited by dave, 302 days ago. Viewed 262 times. #1
[edit] [rdf]
labels
attachments
(2017-09-20)

Example Problem

I'm on a CentOS 7.4.1708 system. I copied /etc/snmp/snmpd.conf from another system. When I query snmpd, I get nothing back. If I issue a

# setenforce 0
… then it works.

Troubleshooting

# yum -y install setroubeshoot
< ten million RPMs install >

# sealert -a /var/log/audit/audit.log | less

Scroll down to the bottom; the last entry starts with:

SELinux is preventing /usr/sbin/snmpd from getattr access on the file /etc/snmp/snmpd.conf.

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label. /etc/snmp/snmpd.conf default label should be etc_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/snmp/snmpd.conf

Solution

# /sbin/restorecon -v /etc/snmp/snmpd.conf
/sbin/restorecon reset /etc/snmp/snmpd.conf context unconfined_u:object_r:admin_home_t:s0->unconfined_u:object_r:etc_t:s0

Now when I enable enforcement and restart snmpd again, everything works.

Commentary

That was much less painful than previous expeditions into selinux. It still isn't clear what's going on, but figuring out what's wrong and how to fix it quickly is much easier. It would be nice if the setroubleshoot tool didn't decide you needed a bunch of X dependencies though.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt