For When You Can't Have The Real Thing
[ start | index | login ]
start > seLinux > snmpd child scripts

snmpd child scripts

Created by dave. Last edited by dave, 67 days ago. Viewed 88 times. #1
[edit] [rdf]
labels
attachments
(2018-10-12)

Problem

I can run a script interactively, but snmpd can't run it as an extension.

Solution

If SELinux is blocking, you’ll need to look at the audit log. I ran into this myself and what I ended up having to do was grep through audit.log for deny statements and create a SELinux module to allow the action to be performed. I had to repeat the process over and over until all permissions were granted:

# sudo grep snmp /var/log/audit/audit.log | grep denied | audit2allow -M modulename

This will create two files: modulename.te and modulename.pp. The .pp file is the actual policy that can be imported, and the .te file is a template file that is human readable and can be modified to create a new policy.

View modulename.te to see what it’s adding, then import the module My basic process was to grep the audit log and pipe out to audit2allow, then cat the .te file and count the lines to see that it was increasing. Import the module then do your snmpwalk again. Keep repeating the process until you see no more denies in the .te file

# sudo grep snmp /var/log/audit/audit.log | grep denied | audit2allow -M modulename
# cat modulename.te ; cat modulename.te | wc -l
# sudo semodule -i modulename.pp
# snmpwalk -v 2c -c public sentry NET-SNMP-EXTEND-MIB::nsExtendObjects

Lather, rinse, repeat. Once you’ve got that nailed down, if necessary you can take the modulename.pp file to other systems and import it there as well.

(>>Source)

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt