SELinux - audit2allow woes

[piggy_op]

Hi:

Setting up a CentOS 7 machine to allow SNMP SMART monitoring from a Nagios box. I would like to leave SELinux enabled if possible. The error I'm seeing from the Nagios side is:

Code: Select all

UCD-SNMP-MIB::extOutput.1 = STRING: sudo: unable to send audit message: Permission denied

audit2allow -w -a shows errors of this type:

Code: Select all

type=AVC msg=audit(1496756656.702:12003): avc:  denied  { audit_write } for  pid=22703 comm="sudo" capability=29  scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=capability
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

So, I run

Code: Select all

audit2allow -a -M snmpsudo

and then

Code: Select all

semodule -i snmpsudo.pp

but still I am unable to get a response. I have run through several iterations of the audit2allow/semodule commands, thinking that perhaps I was hitting new errors, but that doesn't seem to have helped.

If I run

Code: Select all

setenforce 0

it works perfectly. Any advice would be appreciated.

[TrevorH]

Do this:

service auditd rotate
(now get shot of all the old audit logs by moving them elsewhere or deleting them)
setenforce 0
recreate the problem
grep -i avc /var/log/audit/audit.log | audit2allow -M snmpsudo

What exactly are you doing anywya? Have you written an snmp extension that is calling sudo?

[piggy_op]

Thanks for the reply! I have gone through the steps you outlined (I did setenforce 1 as well, since with setenforce 0 audit2allow returned "Nothing to do"). Still no joy.

What I am doing is running a script with an SNMP extension which calls sudo to run smartctl to check the SMART status of drives behind a MegaRAID card. It lets Nagios alert me if the SMART status degrades. When I've done this previously I have just taken the easy way out and disabled SELinux, but this time I would like to see if I can get it working with SELinux enabled.

[TrevorH]

But it does work in permissive mode (setenforce 0)? If so then it is an selinux problem so that probably means you're hitting something that is dontaudit'ed so run semodule -DB to disable the dontaudit rules, use setenforce 0 to go permissive then recreate and check again. If it doesn't work in permissive then perhaps you're hiitting the usual sudo "notty" type error instead?

[piggy_op]

Here's what I just did:

- SELinux enforcing
- log rotate, remove old log
- semodule -DB
- On Nagios machine, run the SNMP command, get the error "sudo: unable to send audit message: Permission denied"
- run grep -i avc /var/log/audit/audit.log | audit2allow -M snmpsudo6 (6 because I have run it a number of times before, incrementing)
- run semodule -i snmpsudo6.pp
- On Nagios machine, run the SNMP command again and... it works!

Thanks so much for your help, I had tried most of these in various permutations but your instructions helped me get it all in the right sequence. You're a star!

[TrevorH]

semodule -B to re-enable the dontaudit rules BTW.

[piggy_op]

I did that but I appreciate the reminder!