It seems to be working now.
TLDR; try disabling SELinux.
setenforce 0
The long answer.
I tried to get the PHP running under the librenms user.
vi /etc/snmp/snmptrapd.conf
# edit traphandle line
# traphandle default su - librenms -c /opt/librenms/snmptrap.php
:wq
systemctl restart snmptrapd.service
I checked /var/log/messages. It was blowing up with errors, like:
su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running’ failed.
Temporarily disabled SELinux:
setenforce 0
The snmptrapd service was working, but new errors were appearing in /var/log/messages:
systemd[1]: [email protected]: Start request repeated too quickly.
Tried to fix SELinux:
audit2allow -a
#============= snmpd_t ==============
allow snmpd_t faillog_t:file { open read };
allow snmpd_t httpd_sys_rw_content_t:file { append getattr open read };
allow snmpd_t lastlog_t:file { open read write };
#!!! This avc can be allowed using the boolean ‘daemons_enable_cluster_mode’
allow snmpd_t mysqld_t:unix_stream_socket connectto;
allow snmpd_t mysqld_var_run_t:sock_file write;
allow snmpd_t security_t:security compute_av;
allow snmpd_t self:capability { audit_write dac_override };
allow snmpd_t self:netlink_audit_socket { create nlmsg_relay };
allow snmpd_t self:netlink_selinux_socket { bind create };
allow snmpd_t self:passwd rootok;
allow snmpd_t systemd_logind_t:dbus send_msg;
#============= systemd_logind_t ==============
allow systemd_logind_t snmpd_t:dbus send_msg;
# audit2allow -a -M snmpd_t
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i snmpd_t.pp
semodule -i snmpd_t.pp
setenforce 1
Running tail -f /var/log/messages:
snmptrapd[3541543]: su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running’ failed.
Traps are working by this point, but /var/log/messages is a mess. The selinux commands didn’t seem to help before. Leaving it disabled still gave us other weird messages, like the issue with starting up too fast.
I rolled back some of the changes to simplify things and see if it would still work.
Edited /etc/snmp/snmptrapd.conf the original traphandle instead of calling it through su - librenms.
No funky errors coming up in /var/log/messages. Better than I would have expected.
Then I re-enabled selinux with setenforce 1. Still no error messages, for a while. Soon, ./daily.sh was complaining that the PHP version was too low. Updates only made things worse. PHP was unable to load dynamic libraries. I gave up for the day.
Today, everything is working. No funky messages in logs, SNMP traps are coming in, ./daily.sh works, validation looks good. The main thing different right now is SELinux is still set with setenforce 0.