SNMP (net-snmp) port configuration

Question

I'm setting up net-snmp on CentOS and I'm getting an issue setting up non-default port. Basically, if I set it up as 161 or port 32768 or greater, it works fine, but it doesn't work for anything between 10000 and 32767.

Any ideas what might be causing this? It's particular to one server only, and it's working fine on other similarly configured servers.

Here are the logs in /var/log/messages:

May  3 11:15:27 oninfra01 snmpd[27709]: Error opening specified endpoint "5161"
May  3 11:15:27 oninfra01 kernel: type=1400 audit(1336058127.584:57070): avc:  denied  { name_bind } for  pid=27709 comm="snmpd" src=5161 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
May  3 11:15:27 oninfra01 kernel: type=1400 audit(1336058127.584:57071): avc:  denied  { name_bind } for  pid=27709 comm="snmpd" src=5161 scontext=unconfined_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
May  3 11:15:27 oninfra01 snmpd[27709]: Server Exiting with code 1

You say it doesn't work. What happens? Anything in the logs or something? — Oliver, May 03 '12 at 15:01
when I do 'sudo service snmpd restart', it just doesn't start. I see a start FAILED message. — ashvagan, May 03 '12 at 15:08
I don't see any logs in /var/log for snmpd. Is there any other place I can find logs? — ashvagan, May 03 '12 at 15:10
Check /var/log/messages. You can also do lsof -i to see if anything else is using the port you're trying to use. — Matthew, May 03 '12 at 15:17
On running the command 'lsof -i 5155', I get lsof: unknown protocol name (5155) in: -i 5155 — ashvagan, May 03 '12 at 15:20

score 1 · Accepted Answer · answered May 03 '12 at 15:20

1

SELINUX strikes again.

Add a rule allowing it or disable selinux.

#getenforce

#setenforce permissive

This might work as far as creating a new rule for selinux, but better to disable it if you don't understand it, it will bite again.

# grep snmp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

answered May 03 '12 at 15:20

foocorpluser

448
3
7

[admin snmp]$ getenforce Enforcing [admin snmp]$ setenforce permissive setenforce: setenforce() failed – ashvagan May 03 '12 at 15:21
I don't think selinux is enabled on the server. – ashvagan May 03 '12 at 15:22
getenforce Enforcing <- yeah its enabled. – foocorpluser May 03 '12 at 15:22
Great. WHERES MY UPBOAT? I'm not doing this out of the goodness of my heart you know. – foocorpluser May 03 '12 at 15:26
UPBOAT? If by that, you mean Vote Up, I don't have that Karma=15 thing to vote you up :) – ashvagan May 03 '12 at 15:52
Ah, its cool, Im just joking around. I DONT CARE AT ALL. REALLY. – foocorpluser May 03 '12 at 16:22

score 1 · Answer 2 · answered May 04 '12 at 07:26

1

One way to allow more ports for snmp in SELinux is

semanage port -a -t snmp_port_t -p tcp 10000-32767
semanage port -a -t snmp_port_t -p udp 10000-32767

(commands might take a while to run, that's normal because SELinux compiles its rulesets)

Check if it went OK:

semanage port -l | grep snmp

answered May 04 '12 at 07:26

Janne Pikkarainen

31,852
4
58
81

bash: semanage: command not found. Awesome! – ashvagan May 04 '12 at 18:41
yum -y install policycoreutils-python did the trick! – ashvagan May 04 '12 at 19:28

SNMP (net-snmp) port configuration

2 Answers2