(2018-10-12)
Problem
I can run a script interactively, but snmpd can't run it as an extension.
Solution
If SELinux is blocking, you’ll need to look at the audit log. I ran into this myself and what I ended up having to do was grep through audit.log for deny statements and create a SELinux module to allow the action to be performed. I had to repeat the process over and over until all permissions were granted:
# sudo grep snmp /var/log/audit/audit.log | grep denied | audit2allow -M modulename
This will create two files: modulename.te and modulename.pp. The .pp file is the actual policy that can be imported, and the .te file is a template file that is human readable and can be modified to create a new policy.
View modulename.te to see what it’s adding, then import the module My basic process was to grep the audit log and pipe out to audit2allow, then cat the .te file and count the lines to see that it was increasing. Import the module then do your snmpwalk again. Keep repeating the process until you see no more denies in the .te file
# sudo grep snmp /var/log/audit/audit.log | grep denied | audit2allow -M modulename
# cat modulename.te ; cat modulename.te | wc -l
# sudo semodule -i modulename.pp
# snmpwalk -v 2c -c public sentry NET-SNMP-EXTEND-MIB::nsExtendObjects
Lather, rinse, repeat. Once you’ve got that nailed down, if necessary you can take the modulename.pp file to other systems and import it there as well.
(
Source)