I actually just got this to work....once. Then I removed it with semodule to test another SNMP issue. When I added the .pp back in and restarted snmpd just like last time, I still get the permission denied error from the script when ran via snmpd. This confuses me. It was working and now the exact same .pp does not work. I even rebooted after reloading it but it still is causing snmpd to give me a permission denied.
How I got it to work was to clear out audit.log, run an snmpwalk to cause the entires to written to audit.log, then copy this new "snmpd errors only" audit.log to my working dir. With this file did the same steps as in my first post to create a te, mod, and pp but instead of doing a grep and pipe to audit2allow, I simply did 'cat audit.log | audit2allow' (using the audit.log that only had all the snmpd errors). This was to ensure that every that was in audit.log after it blocked snmpd would be given to audit2allow.
The te looks like such now:
Code:
module allowsnmpdwritetmp 1.0;
require {
type snmpd_t;
type tmp_t;
class file write;
class dir write;
}
#============= snmpd_t ==============
allow snmpd_t tmp_t:dir write;
allow snmpd_t tmp_t:file write;
Remember, this *exact* te worked....once. Now if I go ahead and load the pp that was made from this te I get the permission denied message and the following entries are in the main audit.log:
Code:
type=AVC msg=audit(1281602719.337:473): avc: denied { add_name } for pid=6569 comm="test2.sh" name="foo" scontext=root:system_r:snmpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1281602719.337:473): arch=40000003 syscall=5 success=no exit=-13 a0=9aafa98 a1=8241 a2=1b6 a3=8241 items=0 ppid=2491 pid=6569 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="test2.sh" exe="/bin/bash" subj=root:system_r:snmpd_t:s0 key=(null)
So, why would this work once but no longer? Is there anything you see in the new audit.log that is not in the te?
After loading the pp which worked once, I again cleared audit.log, ran an snmpwalk, took the entries that were in this new audit.log, appended that to my earlier audit.log, created a new te, mod, and pp, loading it, restarted snmpd, but yet it still gives a permission denied and the same errors as shown above are in audit.log.
The script is owned by root (user and group), snmpd runs as root, no mount flags (fstab has 'defaults'), there shouldn't be any special access rights to the script which snmpd runs, although in the future perms will be 750. Again, this is my first time working with SELinux so I'm sure I am doing something wrong, I just don't know what.