On 4/29/05, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > Carlos Pastorino wrote: > > >Hello, > > > >I've inserted the following line on my /etc/snmpd.conf file: > > > > proc sshd > > > >Then I executed the following command: > > > >snmpwalk -On -v2c -c public localhost .1.3.6.1.4.1.2021.2.1 > > > >and got the answer: > > > >.1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1 > >.1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd > >.1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0 > >.1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0 > >.1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 0 > >.1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 1 > >.1.3.6.1.4.1.2021.2.1.101.1 = STRING: No sshd process running. > >.1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0 > >.1.3.6.1.4.1.2021.2.1.103.1 = STRING: > > > >But, if I execute the command below: > > > >setenforce 0 > > > >I get the correct answer: > > > >.1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1 > >.1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd > >.1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0 > >.1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0 > >.1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 2 > >.1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 0 > >.1.3.6.1.4.1.2021.2.1.101.1 = STRING: > >.1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0 > >.1.3.6.1.4.1.2021.2.1.103.1 = STRING: > > > >The problem is, nothing shows up on /var/log/messages to allow me to > >figure out how to tweak the > >/etc/selinux/targeted/src/policy/domains/program/snmpd.te file. > > > >Any hints? > > > >Regards, > > > >Carlos > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list@xxxxxxxxxx > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > You are being bitten by a dontaudit rule. To disable dont audits > cd /etc/selinux/targeted/src/policy > > make enableaudit > make load > > The culprit line is the following. > > dontaudit snmpd_t domain:dir { getattr search }; > > If you change this to allow you will get further. > > -- Hi Daniel, On the snmpd.te file, I've changed the line above to: allow snmpd_t domain:dir { getattr search }; Then I executed "make load", and got the error: assertion on line 21719 violated by allow snmpd_t unconfined_t:dir { getattr search }; make: *** [/etc/selinux/targeted/policy/policy.18] Error 1 Now I'm stuck again :) mainly because I don't know if it's a good idea to change the rule on line 21719, namely: # Confined domains must never see unconfined domain's /proc/pid entries. neverallow { domain -unrestricted } unconfined_t:dir { getattr search }; Any advices? Many thanks, Carlos -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
