snmpd proc monitoring problem

Daniel J Walsh dwalsh at redhat.com
Mon May 2 15:11:59 UTC 2005 

Carlos Pastorino wrote:

>On 4/29/05, Daniel J Walsh <dwalsh at redhat.com> wrote:
>  
>
>>Carlos Pastorino wrote:
>>
>>    
>>
>>>Hello,
>>>
>>>I've inserted the following line on my /etc/snmpd.conf file:
>>>
>>>   proc sshd
>>>
>>>Then I executed the following command:
>>>
>>>snmpwalk -On -v2c -c public localhost .1.3.6.1.4.1.2021.2.1
>>>
>>>and got the answer:
>>>
>>>.1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1
>>>.1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd
>>>.1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0
>>>.1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0
>>>.1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 0
>>>.1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 1
>>>.1.3.6.1.4.1.2021.2.1.101.1 = STRING: No sshd process running.
>>>.1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0
>>>.1.3.6.1.4.1.2021.2.1.103.1 = STRING:
>>>
>>>But, if I execute the command below:
>>>
>>>setenforce 0
>>>
>>>I get the correct answer:
>>>
>>>.1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1
>>>.1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd
>>>.1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0
>>>.1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0
>>>.1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 2
>>>.1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 0
>>>.1.3.6.1.4.1.2021.2.1.101.1 = STRING:
>>>.1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0
>>>.1.3.6.1.4.1.2021.2.1.103.1 = STRING:
>>>
>>>The problem is, nothing shows up on /var/log/messages to allow me to
>>>figure out how to tweak the
>>>/etc/selinux/targeted/src/policy/domains/program/snmpd.te file.
>>>
>>>Any hints?
>>>
>>>Regards,
>>>
>>>Carlos
>>>
>>>--
>>>fedora-selinux-list mailing list
>>>fedora-selinux-list at redhat.com
>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>
>>>      
>>>
>>You are being bitten by a dontaudit rule.  To disable dont audits
>>cd /etc/selinux/targeted/src/policy
>>
>>make enableaudit
>>make load
>>
>>The culprit line is the following.
>>
>>dontaudit snmpd_t domain:dir { getattr search };
>>
>>If you change this to allow you will get further.
>>
>>--
>>    
>>
>
>Hi Daniel,
>
>On the snmpd.te file, I've changed the line above to:
>
>allow snmpd_t domain:dir { getattr search };
>
>Then I executed "make load", and got the error:
>
>assertion on line 21719 violated by allow snmpd_t unconfined_t:dir {
>getattr search };
>make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
>
>Now I'm stuck again :) mainly because I don't know if it's a good idea
>to change the rule on line 21719, namely:
>
># Confined domains must never see unconfined domain's /proc/pid entries.
>neverallow { domain -unrestricted } unconfined_t:dir { getattr search };
>
>Any advices?
>
>Many thanks,
>
>Carlos
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>
typeattribute snmbt_t unristricted;

Will get you beyond this.

Dan
 

--

More information about the fedora-selinux-list mailing list