3ware SNMP plugin does not work with selinux

Question

Anyone have experience using 3ware's SNMP library under SELINUX? I get the following error:

snmpget -v 2c -c pub hostname TW-RAID-MIB::twRaidUnitStatus.1
Error in packet
Reason: noCreation (That table does not support row creation or that object can not ever be created)
Failed object: TW-RAID-MIB::twRaidUnitStatus.1

If disable selinux and restart snmpd, the snmpget works fine.

I've taken the following steps, none of which fixes the problem:

yum update net-snmp
yum update selinux-policy
/sbin/restorecon -R -v /etc/snmp /var/net-snmp /usr/share/snmp /dev/twa*

What's in `/var/log/audit/audit.log`? – Mark Wagner Apr 04 '11 at 23:20 — Mark Wagner, Apr 04 '11 at 23:20

score 0 · Answer 1 · answered Apr 07 '11 at 02:50

The following policy allows net-snmp + 3ware snmp to work with selinux. Not an ideal solution as it allows snmpd access to all files of type device_t and var_t. It really just needs access to /dev/twa*, /var/net-snmp, /usr/share/snmp and some misc. libraries and config files. If anyone can make a better policy I'd like to see it.

policy_module(snmp, 1.0)

require {
  type snmpd_exec_t;
  type snmpd_t;
  type device_t;
  type var_t;
}

allow snmpd_t device_t : file rw_file_perms;
allow snmpd_t device_t : chr_file rw_file_perms;
allow snmpd_t device_t : dir rw_dir_perms;
allow snmpd_t var_t : file rw_file_perms;
allow snmpd_t var_t : file create_file_perms;
allow snmpd_t var_t : dir rw_dir_perms;
allow snmpd_t var_t : lnk_file { getattr read write create };

3ware SNMP plugin does not work with selinux

1 Answers1