We use snmp extends to invoke commands on various hosts, obviously with
selinux enabled we need to accommodate command.
We have one that invokes systemctl, so depending on the unit files installed
the policy various. That's not a salable approach so what is the best practice
here for writing a policy that allows snmpd to invoke systemctl where we
allow something like:
allow snmpd_t *_unit_file_t:service status;
allow snmpd_t init_t:system status;
allow snmpd_t init_t:unix_stream_socket connectto;
allow snmpd_t self:netlink_route_socket nlmsg_write;
allow snmpd_t systemd_systemctl_exec_t:file { read execute open execute_no_trans };
allow snmpd_t usr_t:file unlink;
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
