parrotchang

如果 snmp 已停止，但 sybsys 鎖定，可能是 3個問題

1.netsnmp 版本要一致
rpm -qa | grep snmp

net-snmp-utils-5.3.1-19.el5_1.4
net-snmp-libs-5.3.1-19.el5_1.4
net-snmp-5.3.1-19.el5_1.4

用 CentOS 5.1 啟動時出現 snmpd dead but pid file exists 後來發現是 net-snmp 跟 net-snmp-libs 的版本不一樣導致的，升級了 net-snmp-libs 後問題就解決了

2.CentOS 安全性設置訊息，可以在 tail -f /var/log/messages 找到相關蛛絲馬跡，解決方法如下

more /var/log/messages
setroubleshoot:      SELinux is preventing /usr/sbin/snm
pd (snmpd_t) "create" access to <Unknown> (snmpd_t).      For complete SELinux m
essages. run sealert -l 2b6db142-43ab-4e78-8f35-1fa571261694

執行 sealert -l 2b6db142-43ab-4e78-8f35-1fa571261694 得到下面的訊息

Summary
    SELinux is preventing /usr/sbin/snmpd (snmpd_t) "create" access to <Unknown>
    (snmpd_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/snmpd. It is not expected that
    this access is required by /usr/sbin/snmpd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "snmpd_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P snmpd_disable_trans=1."

    The following command will allow this access:
    setsebool -P snmpd_disable_trans=1

Additional Information

Source Context                user_u:system_r:snmpd_t
Target Context                user_u:system_r:snmpd_t
Target Objects                None [ netlink_route_socket ]
Affected RPM Packages         net-snmp-5.3.1-19.el5_1.4 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     bscldap.cht.com.tw
Platform                      Linux bscldap.cht.com.tw 2.6.18-8.1.15.el5 #1 SMP
                              Mon Oct 22 08:32:04 EDT 2007 i686 i686
Alert Count                   58
Line Numbers

Raw Audit Messages

avc: denied { create } for comm="snmpd" egid=0 euid=0 exe="/usr/sbin/snmpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27302
scontext=user_u:system_r:snmpd_t:s0 sgid=0 subj=user_u:system_r:snmpd_t:s0
suid=0 tclass=netlink_route_socket tcontext=user_u:system_r:snmpd_t:s0
tty=(none) uid=0

根據上面資料，最簡單也最快的解決方式如下所述

# 解除 sybsys 鎖定
rm /var/lock/subsys/snmpd
# 解除 snmpd 安全性設定
setsebool -P snmpd_disable_trans=1
# 啟動 snmpd 服務
service snmpd start

3.Disable IPV6 support

vi /etc/modprobe.conf
＝＝＝＝＝＝＝＝＝＝＝＝＝
alias net-pf-10 off
alias ipv6 off
＝＝＝＝＝＝＝＝＝＝＝＝

vi /etc/sysconfig/network
＝＝＝＝＝＝＝＝＝＝＝＝＝
NETWORKING_IPV6=no
＝＝＝＝＝＝＝＝＝＝＝＝＝

vi /etc/sysconfig/network-scripts/ifcfg-eth0
add
＝＝＝＝＝＝＝＝＝＝＝＝＝
IPV6INIT=no
＝＝＝＝＝＝＝＝＝＝＝＝＝

最後重新上 SNMP Package
yum install net-snmp net-snmp-devel net-snmp-utils net-snm-libs