SELinux interfering with SNMP extensions on CentOS 7

snmp
Tags: #<Tag:0x00007f64e3963dc8>

#1

Installing a new instance of LibreNMS today on CentOS 7 with the SNMP extensions. I have turned on the dhcp and ntp-client extensions.

First I had to doctor the dhcp script to look in the CentOS location for the leases file.

By default, I was getting this output:

[[email protected] snmp]# snmpwalk -v 2c -c public sentry NET-SNMP-EXTEND-MIB::nsExtendObjects
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 2
NET-SNMP-EXTEND-MIB::nsExtendCommand."dhcpstats" = STRING: /etc/snmp/dhcp-status.sh
NET-SNMP-EXTEND-MIB::nsExtendCommand."ntp-client" = STRING: /etc/snmp/ntp-client.sh
NET-SNMP-EXTEND-MIB::nsExtendArgs."dhcpstats" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendArgs."ntp-client" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."dhcpstats" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."ntp-client" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."dhcpstats" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."ntp-client" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."dhcpstats" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendExecType."ntp-client" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."dhcpstats" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."ntp-client" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."dhcpstats" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStorage."ntp-client" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."dhcpstats" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendStatus."ntp-client" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."dhcpstats" = STRING: /usr/bin/cat: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."ntp-client" = STRING: /etc/snmp/ntp-client.sh: line 20: cannot create temp file for here-document: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."dhcpstats" = STRING: /usr/bin/cat: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
/usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
/usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
/usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
/usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
/usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
/usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
/usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
/usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
/usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
0
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."ntp-client" = STRING: /etc/snmp/ntp-client.sh: line 20: cannot create temp file for here-document: Permission denied





NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."dhcpstats" = INTEGER: 18
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."ntp-client" = INTEGER: 6
NET-SNMP-EXTEND-MIB::nsExtendResult."dhcpstats" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendResult."ntp-client" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".1 = STRING: /usr/bin/cat: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".2 = STRING: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".3 = STRING: /usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".4 = STRING: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".5 = STRING: /usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".6 = STRING: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".7 = STRING: /usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".8 = STRING: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".9 = STRING: /usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".10 = STRING: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".11 = STRING: /usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".12 = STRING: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".13 = STRING: /usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".14 = STRING: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".15 = STRING: /usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".16 = STRING: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".17 = STRING: /usr/bin/grep: /var/lib/dhcpd/dhcpd.leases: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."dhcpstats".18 = STRING: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."ntp-client".1 = STRING: /etc/snmp/ntp-client.sh: line 20: cannot create temp file for here-document: Permission denied
NET-SNMP-EXTEND-MIB::nsExtendOutLine."ntp-client".2 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."ntp-client".3 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."ntp-client".4 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."ntp-client".5 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."ntp-client".6 = STRING:

After messing with permissions and trying to move things around, I twigged on SELinux, and after I issued

setenforce 0

…everything works properly.

So the question is – what is the correct course of action here? Is there a bug I should open somewhere? While I usually run computers without SElinux, I figure I should probably know how to live with it.


#2

If SELinux is blocking, you’ll need to look at the audit log. I ran into this myself and what I ended up having to do was grep through audit.log for deny statements and create a SELinux module to allow the action to be performed. I had to repeat the process over and over until all permissions were granted:

sudo grep snmp /var/log/audit/audit.log | grep denied | audit2allow -M modulename

This will create two files: modulename.te and modulename.pp. The .pp file is the actual policy that can be imported, and the .te file is a template file that is human readable and can be modified to create a new policy.

View modulename.te to see what it’s adding, then import the module My basic process was to grep the audit log and pipe out to audit2allow, then cat the .te file and count the lines to see that it was increasing. Import the module then do your snmpwalk again. Keep repeating the process until you see no more denies in the .te file

sudo grep snmp /var/log/audit/audit.log | grep denied | audit2allow -M modulename
cat modulename.te ; cat modulename.te | wc -l
sudo semodule -i modulename.pp
snmpwalk -v 2c -c public sentry NET-SNMP-EXTEND-MIB::nsExtendObjects

Lather, rinse, repeat. Once you’ve got that nailed down, if necessary you can take the modulename.pp file to other systems and import it there as well.