Re: snmpd proc monitoring problem

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Carlos Pastorino wrote:

> On 4/29/05, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>  
>
> > Carlos Pastorino wrote:
> >
> >    
> >
> > > Hello,
> > >
> > > I've inserted the following line on my /etc/snmpd.conf file:
> > >
> > >   proc sshd
> > >
> > > Then I executed the following command:
> > >
> > > snmpwalk -On -v2c -c public localhost .1.3.6.1.4.1.2021.2.1
> > >
> > > and got the answer:
> > >
> > > .1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1
> > > .1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd
> > > .1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0
> > > .1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0
> > > .1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 0
> > > .1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 1
> > > .1.3.6.1.4.1.2021.2.1.101.1 = STRING: No sshd process running.
> > > .1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0
> > > .1.3.6.1.4.1.2021.2.1.103.1 = STRING:
> > >
> > > But, if I execute the command below:
> > >
> > > setenforce 0
> > >
> > > I get the correct answer:
> > >
> > > .1.3.6.1.4.1.2021.2.1.1.1 = INTEGER: 1
> > > .1.3.6.1.4.1.2021.2.1.2.1 = STRING: sshd
> > > .1.3.6.1.4.1.2021.2.1.3.1 = INTEGER: 0
> > > .1.3.6.1.4.1.2021.2.1.4.1 = INTEGER: 0
> > > .1.3.6.1.4.1.2021.2.1.5.1 = INTEGER: 2
> > > .1.3.6.1.4.1.2021.2.1.100.1 = INTEGER: 0
> > > .1.3.6.1.4.1.2021.2.1.101.1 = STRING:
> > > .1.3.6.1.4.1.2021.2.1.102.1 = INTEGER: 0
> > > .1.3.6.1.4.1.2021.2.1.103.1 = STRING:
> > >
> > > The problem is, nothing shows up on /var/log/messages to allow me to
> > > figure out how to tweak the
> > > /etc/selinux/targeted/src/policy/domains/program/snmpd.te file.
> > >
> > > Any hints?
> > >
> > > Regards,
> > >
> > > Carlos
> > >
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@xxxxxxxxxx
> > > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > >
> > >
> > >      
> > You are being bitten by a dontaudit rule.  To disable dont audits
> > cd /etc/selinux/targeted/src/policy
> >
> > make enableaudit
> > make load
> >
> > The culprit line is the following.
> >
> > dontaudit snmpd_t domain:dir { getattr search };
> >
> > If you change this to allow you will get further.
> >
> > --
> >    
>
> Hi Daniel,
>
> On the snmpd.te file, I've changed the line above to:
>
> allow snmpd_t domain:dir { getattr search };
>
> Then I executed "make load", and got the error:
>
> assertion on line 21719 violated by allow snmpd_t unconfined_t:dir {
> getattr search };
> make: *** [/etc/selinux/targeted/policy/policy.18] Error 1
>
> Now I'm stuck again :) mainly because I don't know if it's a good idea
> to change the rule on line 21719, namely:
>
> # Confined domains must never see unconfined domain's /proc/pid entries.
> neverallow { domain -unrestricted } unconfined_t:dir { getattr search };
>
> Any advices?
>
> Many thanks,
>
> Carlos
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
typeattribute snmbt_t unristricted;

Will get you beyond this.

Dan


--


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list