On 4/29/05, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
Carlos Pastorino wrote:
>Hello,
>
>I've inserted the following line on my /etc/snmpd.conf file:
>
> proc sshd
>
>Then I executed the following command:
>
>snmpwalk -On -v2c -c public localhost .1.3.6.1.4.1.2021.2.1
>
>and got the answer:
>
>.1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1
>.1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd
>.1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0
>.1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0
>.1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 0
>.1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 1
>.1.3.6.1.4.1.2021.2.1.101.1 = STRING: No sshd process running.
>.1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0
>.1.3.6.1.4.1.2021.2.1.103.1 = STRING:
>
>But, if I execute the command below:
>
>setenforce 0
>
>I get the correct answer:
>
>.1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1
>.1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd
>.1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0
>.1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0
>.1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 2
>.1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 0
>.1.3.6.1.4.1.2021.2.1.101.1 = STRING:
>.1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0
>.1.3.6.1.4.1.2021.2.1.103.1 = STRING:
>
>The problem is, nothing shows up on /var/log/messages to allow me to
>figure out how to tweak the
>/etc/selinux/targeted/src/policy/domains/program/snmpd.te file.
>
>Any hints?
>
>Regards,
>
>Carlos
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list(a)redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
You are being bitten by a dontaudit rule. To disable dont audits
cd /etc/selinux/targeted/src/policy
make enableaudit
make load
The culprit line is the following.
dontaudit snmpd_t domain:dir { getattr search };
If you change this to allow you will get further.
--
Hi Daniel,
On the snmpd.te file, I've changed the line above to:
allow snmpd_t domain:dir { getattr search };
Then I executed "make load", and got the error:
assertion on line 21719 violated by allow snmpd_t unconfined_t:dir {
getattr search };
make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
Now I'm stuck again :) mainly because I don't know if it's a good idea
to change the rule on line 21719, namely:
# Confined domains must never see unconfined domain's /proc/pid entries.
neverallow { domain -unrestricted } unconfined_t:dir { getattr search };
Any advices?
Many thanks,
Carlos