0

In snmpd.conf I have

exec drbd_cstate /sbin/drbdadm cstate all exec drbd_role /sbin/drbdadm role all exec drbd_state /sbin/drbdadm dstate all

With selinux set to permissive if I were to run the SNMP walk command (/usr/bin/snmpwalk -v 2c -c PUBLIC 192.168.1.10 'NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate"'.1) and I got in the log:

type=AVC msg=audit(1619795855.717:214829): avc: denied { read } for pid=30859 comm="drbdadm" name="node_id" dev="dm-0" ino=2360185 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:drbd_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1619795855.717:214829): avc: denied { open } for pid=30859 comm="drbdadm" path="/var/lib/drbd/node_id" dev="dm-0" ino=2360185 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:drbd_var_lib_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1619795855.717:214829): arch=c000003e syscall=2 success=yes exit=4 a0=42eee0 a1=0 a2=1 a3=7fff53710560 items=0 ppid=27329 pid=30859 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdadm" exe="/usr/sbin/drbdadm" subj=system_u:system_r:snmpd_t:s0 key=(null) type=PROCTITLE msg=audit(1619795855.717:214829): proctitle=2F7362696E2F6472626461646D0063737461746500616C6C type=AVC msg=audit(1619795855.719:214830): avc: denied { create } for pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1619795855.719:214830): arch=c000003e syscall=41 success=yes exit=4 a0=10 a1=2 a2=10 a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null) type=PROCTITLE msg=audit(1619795855.719:214830): proctitle=2F7362696E2F647262647365747570006373746174650072300031 type=AVC msg=audit(1619795855.720:214831): avc: denied { setopt } for pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1619795855.720:214831): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=1 a2=7 a3=7ffe12bd3a3c items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null) type=PROCTITLE msg=audit(1619795855.720:214831): proctitle=2F7362696E2F647262647365747570006373746174650072300031 type=AVC msg=audit(1619795855.720:214832): avc: denied { bind } for pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1619795855.720:214832): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=21dd030 a2=c a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null) type=PROCTITLE msg=audit(1619795855.720:214832): proctitle=2F7362696E2F647262647365747570006373746174650072300031 type=AVC msg=audit(1619795855.720:214833): avc: denied { getattr } for pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1 type=SYSCALL msg=audit(1619795855.720:214833): arch=c000003e syscall=51 success=yes exit=0 a0=4 a1=21dd030 a2=7ffe12bd3a38 a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null) type=PROCTITLE msg=audit(1619795855.720:214833): proctitle=2F7362696E2F647262647365747570006373746174650072300031

When doing the snmpwalk the error I got back was NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate".1 = STRING: Creation of /var/lib/drbd/node_id failed: Permission denied

I used audit2allow to help create a policy for selinux so that it would allow me to run this command. The policy that it gave me was

module drbd_cstate 1.0; require { type drbd_var_lib_t; type snmpd_t; class netlink_socket { bind create getattr setopt }; class file { open read }; } #============= snmpd_t ============== allow snmpd_t drbd_var_lib_t:file { open read }; allow snmpd_t self:netlink_socket { bind create getattr setopt };

Once I added my newly created module and I ran snmpwalk I got back

NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate".1 = STRING: <1>failed to send netlink message

Doing a tail -f /var/log/audit/audit.log does not come back with anything. If at the time that I am doing the snmpwalk I do a tcpdump I see this going over the network Could not connect to 'drbd' generic netlink family in one packet and then <1>failed to send netlink message. If I then do setenforce=permissive everything magically works again. What am I doing wrong?

Improve this question
1
  • It's possible you're not seeing some of the AVCs because they are not logged. Try to run semanage dontaudit off and then redo audit2allow (you'll need to remove a bunch of bogus entries, though). Commented May 7, 2021 at 12:55

1 Answer 1

Reset to default
0

I solve this with the following module :

module drbd_cstate 1.0; require { type drbd_var_lib_t; type snmpd_t; class netlink_socket { create setopt bind getattr write read }; class file { open read write }; } #============= snmpd_t ============== allow snmpd_t drbd_var_lib_t:file { open read write }; allow snmpd_t self:netlink_socket { bind create getattr setopt write open };

thanks mricon for the semanage dontaudit off trick

Improve this answer
1
  • 1
    remember to accept the answer in case you solved the problem. Else we will have this question open till the end of serverfault.com. Commented Nov 7, 2021 at 10:07

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.