SELinux problem for SNMP

Satish Patel satish at linuxbug.org
Thu Mar 5 18:25:12 CET 2009
Previous message: SELinux problem for SNMP
Next message: SELinux problem for SNMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thansk your reply

I have checked IPtables and other related stuff with security port  
security i found one thing when i perform snmp CPU Load plugin its  
working fine measn i have access of snmp quary for CPU oid. Then why i  
am not able to Disk monitoring via SNMP?

Notes:- I have few NFS mount point whicg is mounted at /mnt directory  
is this the problem ? might be selinux not allow to snmp query to /mnt  
filesystem. when i check my /var/log/messages file i got Access denied  
on /mnt mounted file system with snmpd error

here my logs

Mar  5 11:34:54 server02 snmpd[17536]: /mnt/to-rap-cm-bak01/h:  
Permission denied
Mar  5 11:34:54 server02 snmpd[17536]: /mnt/to-rap-cm-bak01/i:  
Permission denied
Mar  5 11:34:54 server02 snmpd[17536]: /mnt/ustnsto-lin03/opt/comtel:  
Permission denied
Mar  5 11:34:54 server02 snmpd[17536]:  
/mnt/ustnsto-lin03/media/usbdisk: Permission denied
Mar  5 11:34:54 server02 kernel: smb_add_request: request [d31eee80,  
mid=22042] timed out!
Mar  5 11:34:54 server02 kernel: audit(1236270894.187:224715): avc:   
denied  { read append } for  pid=17536 comm="snmpd" name="snmpd.log"  
dev=dm-3 ino=393320 scontext=root:system_r:snmpd_t  
tcontext=user_u:object_r:var_log_t tclass=file
Mar  5 11:34:54 server02 kernel: audit(1236270894.187:224716): avc:   
denied  { search } for  pid=17536 comm="snmpd" name="mnt" dev=dm-0  
ino=65537 scontext=root:system_r:snmpd_t  
tcontext=system_u:object_r:mnt_t tclass=dir



Regards,

Satish Patel


Quoting Giovanni Torres <torresgi at ninds.nih.gov>:

> I have a CentOS machine that has selinux in enforcing/targeted mode and
> is monitored with snmp checks by nagios successfully. The SE boolean
> value for snmpd_disable_trans is off on my machine and I can still
> query snmp.  I would recommend the following:
> . check the firewall/iptables rules for udp port 161
> . enable logging in iptables to see if the firewall is dropping packets
> (requires more work)
> . check the source and string under the com2sec definition in snmpd.conf
> . check the view definition in snmpd.conf, defaults are a bit restrictive
> . try using the setroubleshoot browser to see if any snmpd related
> warnings pop up.  These warnings can include a section called Allowing
> Access.
>
> -Giovanni
>
>
> Satish Patel wrote:
>> I already used this option its not working.
>>
>> ----- Original Message ----- From: "Giovanni Torres"   
>> <torresgi at ninds.nih.gov>
>> To: <nagios-users at lists.sourceforge.net>
>> Sent: Wednesday, March 04, 2009 10:50 AM
>> Subject: Re: [Nagios-users] SELinux problem for SNMP
>>
>>
>>> $ getsebool -a | grep snmpd
>>> snmpd_disable_trans --> off
>>>
>>> $ setsebool -P snmpd_disable_trans 1
>>>
>>> $ getsebool snmpd_disable_trans
>>> snmpd_disable_trans --> on
>>>
>>> Let me know if that helps you out.
>>>
>>> Thanks,
>>> Giovanni
>>>
>>> Satish Patel wrote:
>>>> I have a selinx its running under default policy. i want SELinux
>>> disable for SNMP daemon thats it.. if any one know about how to disable
>>> for snmpd please let me know.
>>>>
>>>> I have tried to found on SELinux mailing list as well but not gave
>>> any appropriate answer.
>>>>
>>>> ----- Original Message ----- From: "Lee Azzarello" <lee at dropio.com>
>>>> To: <nagios-users at lists.sourceforge.net>
>>>> Sent: Thursday, February 26, 2009 12:09 PM
>>>> Subject: Re: [Nagios-users] SELinux problem for SNMP
>>>>
>>>>
>>>>> I believe your question would be better served on a list related to
>>> SELinux.
>>>>>
>>>>> In my experience SELinux is overkill for anything but the most
>>>>> paranoid security situations. Without a complete understanding of your
>>>>> entire security landscape, you'll just end up fighting with your own
>>>>> systems because SELinux is protecting them from you.
>>>>>
>>>>> -lee
>>>>>
>>>>> On Thu, Feb 26, 2009 at 9:45 AM, Satish Patel <satish at linuxbug.org>
>>> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have RHEL 5 Box with SELinux enforceing mode now what happend when
>>>>>> my nagios box trying to use snmp to get CPU load its working fine. but
>>>>>> when it trying to use DISK and MEM infor its failed not response. even
>>>>>> this same plugin working with all my linux client ubuntu, debian,
>>>>>> Redhat not problem with plugin but i found problem related to SELinux
>>>>>> and i dont want to Disable it so what is the other option and how i
>>>>>> can disable snmp policy in SELinux to make happy my nagios?
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Satish Patel
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>> ------------------------------------------------------------------------------ >>> Open Source Business Conference (OSBC), March 24-25, 2009,   
>>> San
>>> Francisco, CA
>>>>>> -OSBC tackles the biggest issue in open source: Open Sourcing the
>>> Enterprise
>>>>>> -Strategies to boost innovation and cut costs with open source
>>> participation
>>>>>> -Receive a $600 discount off the registration fee with the source
>>> code: SFAD
>>>>>> http://p.sf.net/sfu/XcvMzF8H
>>>>>> _______________________________________________
>>>>>> Nagios-users mailing list
>>>>>> Nagios-users at lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/nagios-users
>>>>>> ::: Please include Nagios version, plugin version (-v) and OS when
>>> reporting any issue.
>>>>>> ::: Messages without supporting info will risk being sent to /dev/null
>>>>>>
>>>>>
>>> ------------------------------------------------------------------------------ >> Open Source Business Conference (OSBC), March 24-25, 2009,   
>>> San
>>> Francisco, CA
>>>>> -OSBC tackles the biggest issue in open source: Open Sourcing the
>>> Enterprise
>>>>> -Strategies to boost innovation and cut costs with open source
>>> participation
>>>>> -Receive a $600 discount off the registration fee with the source
>>> code: SFAD
>>>>> http://p.sf.net/sfu/XcvMzF8H
>>>>> _______________________________________________
>>>>> Nagios-users mailing list
>>>>> Nagios-users at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/nagios-users
>>>>> ::: Please include Nagios version, plugin version (-v) and OS when
>>> reporting any issue.
>>>>> ::: Messages without supporting info will risk being sent to /dev/null
>>>>>
>>>>
>>>>
>>>>
>>> ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009,   
>>> San
>>> Francisco, CA
>>>> -OSBC tackles the biggest issue in open source: Open Sourcing the
>>> Enterprise
>>>> -Strategies to boost innovation and cut costs with open source
>>> participation
>>>> -Receive a $600 discount off the registration fee with the source
>>> code: SFAD
>>>> http://p.sf.net/sfu/XcvMzF8H
>>>> _______________________________________________
>>>> Nagios-users mailing list
>>>> Nagios-users at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/nagios-users
>>>> ::: Please include Nagios version, plugin version (-v) and OS when
>>> reporting any issue. ::: Messages without supporting info will risk
>>> being sent to /dev/null
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco,   
>>> CA
>>> -OSBC tackles the biggest issue in open source: Open Sourcing the   
>>> Enterprise
>>> -Strategies to boost innovation and cut costs with open source   
>>> participation
>>> -Receive a $600 discount off the registration fee with the source   
>>> code: SFAD
>>> http://p.sf.net/sfu/XcvMzF8H
>>> _______________________________________________
>>> Nagios-users mailing list
>>> Nagios-users at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/nagios-users
>>> ::: Please include Nagios version, plugin version (-v) and OS when  
>>>  reporting any issue.
>>> ::: Messages without supporting info will risk being sent to /dev/null
>>>
>>
>
> -- 
> Giovanni Torres
> Network Administrator
> Contractor - Kelly Services
> NINDS, NMR Center
> National Institutes of Health
> 301-402-3110




------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: SELinux problem for SNMP
Next message: SELinux problem for SNMP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list