如果 snmp 已停止,但 sybsys 鎖定,可能是 3個問題
1.netsnmp 版本要一致
rpm -qa | grep snmp
net-snmp-utils-5.3.1-19.el5_1.4
net-snmp-libs-5.3.1-19.el5_1.4
net-snmp-5.3.1-19.el5_1.4
用 CentOS 5.1 啟動時出現 snmpd dead but pid file exists 後來發現是 net-snmp 跟 net-snmp-libs 的版本不一樣導致的,升級了 net-snmp-libs 後問題就解決了
2.CentOS 安全性設置訊息,可以在 tail -f /var/log/messages 找到相關蛛絲馬跡,解決方法如下
more /var/log/messages
setroubleshoot: SELinux is preventing /usr/sbin/snm
pd (snmpd_t) "create" access to <Unknown> (snmpd_t). For complete SELinux m
essages. run sealert -l 2b6db142-43ab-4e78-8f35-1fa571261694
執行 sealert -l 2b6db142-43ab-4e78-8f35-1fa571261694 得到下面的訊息
Summary
SELinux is preventing /usr/sbin/snmpd (snmpd_t) "create" access to <Unknown>
(snmpd_t).
Detailed Description
SELinux denied access requested by /usr/sbin/snmpd. It is not expected that
this access is required by /usr/sbin/snmpd and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown>. There is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
disable SELinux protection entirely for the application. Disabling SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Changing the "snmpd_disable_trans" boolean to true will disable SELinux
protection this application: "setsebool -P snmpd_disable_trans=1."
The following command will allow this access:
setsebool -P snmpd_disable_trans=1
Additional Information
Source Context user_u:system_r:snmpd_t
Target Context user_u:system_r:snmpd_t
Target Objects None [ netlink_route_socket ]
Affected RPM Packages net-snmp-5.3.1-19.el5_1.4 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.disable_trans
Host Name bscldap.cht.com.tw
Platform Linux bscldap.cht.com.tw 2.6.18-8.1.15.el5 #1 SMP
Mon Oct 22 08:32:04 EDT 2007 i686 i686
Alert Count 58
Line Numbers
Raw Audit Messages
avc: denied { create } for comm="snmpd" egid=0 euid=0 exe="/usr/sbin/snmpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27302
scontext=user_u:system_r:snmpd_t:s0 sgid=0 subj=user_u:system_r:snmpd_t:s0
suid=0 tclass=netlink_route_socket tcontext=user_u:system_r:snmpd_t:s0
tty=(none) uid=0
根據上面資料,最簡單也最快的解決方式如下所述
# 解除 sybsys 鎖定
rm /var/lock/subsys/snmpd
# 解除 snmpd 安全性設定
setsebool -P snmpd_disable_trans=1
# 啟動 snmpd 服務
service snmpd start
3.Disable IPV6 support
vi /etc/modprobe.conf
=============
alias net-pf-10 off
alias ipv6 off
============
vi /etc/sysconfig/network
=============
NETWORKING_IPV6=no
=============
vi /etc/sysconfig/network-scripts/ifcfg-eth0
add
=============
IPV6INIT=no
=============
最後重新上 SNMP Package
yum install net-snmp net-snmp-devel net-snmp-utils net-snm-libs
留言列表