snmp Permission denied on mounted filesystems

Sandro Janke gui1ty_fedora at penguinpee.nl
Fri Apr 16 00:11:50 UTC 2010 

On 04/16/2010 01:51 AM, Paul Ward wrote:
> I have run the command as follows but I am still getting the permission issues.
> 
> Apr 16 11:48:13 sargas snmpd[23987]: /home/work/exports: Permission denied
> 
> # restorecon -v /home/work/exports
> restorecon reset context /home/work/exports:->system_u:object_r:user_home_t

Without the -R switch only the directory itself will be labeled. I'm
pretty sure you want to run restorecon as suggested by dwalsh.

What does 'ausearch -m -ts recent' tell? You can pipe the output to
audit2why or audit2allow like:

ausearch -m avc -ts recent | audit2why
ausearch -m avc -ts recent | audit2allow -M mysnmp

The latter will generate a loadable module. There is some documentation
at [1] about creating and loading your own modules.

[1]
http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

> ls -lZd /home/work/exports
> 
> drwxrwxr-x  oracle   dba      system_u:object_r:user_home_t
> /home/work/exports
> 
> Whats next?
> Do I need to restart something?
> 
> 
> 
> 
> On 16 April 2010 11:11, Sandro Janke <gui1ty_fedora at penguinpee.nl> wrote:
>> On 04/16/2010 12:33 AM, Paul Ward wrote:
>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>> What are the settings in /etc/selinux/config?
>>>
>>> My server shows the following selinux packages.
>>>
>>> selinux-policy-targeted-1.17.30-2.152.el4
>>> selinux-policy-targeted-sources-1.17.30-2.152.el4
>>>
>>> I have run:
>>> snmpwalk -v 2c -c public .iso
>>> cd /etc/selinux/targeted/src/policy
>>> audit2allow -d -l -o domains/misc/local.te
>>> make load
>>>
>>> Until no more errors were found, this fixed theoriginal errors from
>>> selinux, but not the permissions.
>>>
>>>> Try running restorecon -R -v /home
>>>
>>> If I run
>>>
>>> restorecon -R -v /home
>>>
>>> Would this affect a production servers running or should I do this in
>>> a mainaintance window?
>>
>> Well, you can try to run it with the -n switch first to show you what
>> would happen. According to the man page: "It can be run at any time to
>> correct errors..."
>>
>>> On 15 April 2010 19:05, Sandro Janke <gui1ty_fedora at penguinpee.nl> wrote:
>>>> On 04/15/2010 06:49 AM, Paul Ward wrote:
>>>>> Hi all,
>>>>>
>>>>> I am sure this comes up a lot but have spent hours trying to find th
>>>>> eanswers with no success apart from disabling selinux which I don't
>>>>> want to do.
>>>>>
>>>>> Apr 15 16:48:26 sargas snmpd[23987]: /home/appl: Permission denied
>>>>>
>>>>> The following filesystems are mounted with same issue.
>>>>>
>>>>> /dev/sda7             3.9G  427M  3.3G  12% /home/appl
>>>>> /dev/sda6             4.0G  2.7G  1.2G  71% /home/users
>>>>> /dev/sda8             3.9G  2.5G  1.2G  68% /home/work
>>>>>
>>>>> ls -ldZ /home/appl/
>>>>> drwxr-xr-x  root     root                                      /home/appl/
>>>>
>>>> This shows that the directory has not been labeled, yet.
>>>>
>>>>> /usr/sbin/sestatus
>>>>> SELinux status:         enabled
>>>>> SELinuxfs mount:        /selinux
>>>>> Current mode:           enforcing
>>>>>
>>>>
>>>> Could it be that you don't have any policy package installed?
>>>>
>>>> What does 'rpm -qv selinux-policy-targeted' say?
>>>> What are the settings in /etc/selinux/config?
>>>>
>>>>> What do I need to do to fix this chcon? If so what is the full comman
>>>>> / context to enter?
>>>>>
>>>>> Thanks
>>>>> --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>

More information about the selinux mailing list