Application on centos 7 with selinux enforcing mode


i’m trying to add apache and os updates on my plesk server on centos 7.
On that host i’ve selinux with enforcing mode.

i’m using snmp instead agent on that host and i’ve downloaded and enabled script for snmpd respectively for apache stats and os update.

For apache everything works on localhost and if i do curl

but on host if i see audit.log denied i’ve that output:

m_r:snmpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1529679006.356:37050): avc:  denied  { open } for  pid=10149 comm="yum" path="/var/log/yum.log" dev="dm-0" ino=67455085 sco
ntext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:rpm_log_t:s0 tclass=file
type=AVC msg=audit(1529679006.540:37051): avc:  denied  { write } for  pid=10149 comm="yum" name="7" dev="dm-0" ino=134310996 scontext=system_
u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir
type=AVC msg=audit(1529679006.541:37052): avc:  denied  { write } for  pid=10149 comm="yum" name="PLESK_17_8_11-extras" dev="dm-0" ino=9821 sc
ontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir

so i think that selinux blocked call from my librenms server.

how can i allow that?


My output of validate.php

Component Version
LibreNMS 1.40-29-g5af520a
DB Schema 252
PHP 7.2.6
MySQL 5.5.56-MariaDB
RRDTool 1.4.8


[OK] Composer Version: 1.6.5
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct

Ok, i’ve solved using that command :

sealert -a /var/log/audit/audit.log > file_manage_alert

and follow what it’s write inside file_manage_alert.

now i’ve another problem to open apache-snmp cache file, i’ve that error :

NET-SNMP-EXTEND-MIB::nsExtendOutLine."apache".1 = STRING: Traceback (most recent call last):
NET-SNMP-EXTEND-MIB::nsExtendOutLine."apache".2 = STRING:   File \"/etc/snmp/\", line 40, in <module>
NET-SNMP-EXTEND-MIB::nsExtendOutLine."apache".3 = STRING:     f = open ( CACHEFILE+'.TMP.'+`os.getpid()`, 'w' )
NET-SNMP-EXTEND-MIB::nsExtendOutLine."apache".4 = STRING: IOError: [Errno 13] Permission denied: '/tmp/apache-snmp.TMP.15351'

i don’t have any apache-snmp file inside /tmp folder on host.

How can i create this?


Are you seeing a avc violation in your logs for this? If not I would lean more towards permissions than selinux.

But - You may have to add the appropriate context to /tmp to allow snmp to write files to /tmp as this would be created and removed dynamically, or you have limited permissions on the /tmp directory which could also cause the issue. (or maybe something like the snmp_log context on /tmp/apache-snmp.*) -Disclaimer- I don’t actually use the apache-stats but it looks like a general permissions error to me. Normally on RHEL systems /tmp is 777 owned by root with a default selinux context of system_u:object_r:tmp_t:s0

Thanks for your answer, now it works!