I would like to receive SNMP traps from a host on Linux server (Rocky Linux 9.2) and send it via e-mail to my external account. Traps are received corectly, but I cannot email it. I got the following error message:
snmptrapd[8534]: can't talk to server localhost
When SELinux is disabled, error message disappears and emails are sent as they should be.
It looks that SELinux prevents from sending emails by snmptrapd daemon.
My question is - how can I update SELinux settings in order to send e-mails?
Use the selinux tools, which will tell you how to fix the problems, eg:
audit2allow -a /var/log/audit/audit.log
should then show the violation related to your issue. There may be others as well shown in the output, so you need to look at it, and then you can make a decision based on this.
Some can be done by using setsebool, and others may require using other commands or creating custom policies/modules to allow a particular violation.
You can post here the output from the audit2allow command that I gave, since it will help us see what problems are there, and what commands to suggest to resolve it.
#!!! This avc can be allowed using the boolean ‘domain_kernel_load_modules’
allow fail2ban_t kernel_t:system module_request;
#!!! This avc is allowed in the current policy
allow fail2ban_t syslogd_var_run_t:dir watch;
#============= httpd_t ==============
#!!! This avc can be allowed using the boolean ‘httpd_unified’
allow httpd_t httpd_sys_content_t:dir { add_name write };
#!!! This avc can be allowed using the boolean ‘httpd_unified’
allow httpd_t httpd_sys_content_t:file { append create };
#!!! This avc can be allowed using the boolean ‘domain_kernel_load_modules’
allow httpd_t kernel_t:system module_request;
allow httpd_t postfix_etc_t:dir read;
allow httpd_t postfix_etc_t:file { getattr open read };
#!!! This avc can be allowed using the boolean ‘daemons_enable_cluster_mode’
allow httpd_t postfix_master_t:unix_stream_socket connectto;
allow httpd_t postfix_public_t:sock_file { getattr write };
allow httpd_t postfix_spool_t:dir { add_name remove_name write };
#!!! This avc is allowed in the current policy
allow httpd_t postfix_spool_t:file { getattr open read write };
allow httpd_t postfix_spool_t:file { create rename setattr };
#!!! This avc can be allowed using the boolean ‘httpd_setrlimit’
allow httpd_t self:process setrlimit;
#============= mysqld_t ==============
#!!! This avc can be allowed using the boolean ‘domain_kernel_load_modules’
allow mysqld_t kernel_t:system module_request;
I’m expecting this will be what we need to do, so:
setsebool -P nis_enabled 1
the comments in the results explain what needs to be done, as suggested to allow the avc with nis_enabled in your example. If you look at some of the others for httpd and mysqld you see similar things if you have problems there it tells you what needs to be done.
Some examples will mention creating modules, however in your case nothing has suggested that so far.
We may have to enable some of the others mentioned under snmpd_t if it still doesn’t work. But it’s better to start with one at a time and go from there. Allowing everything all at once is not a good idea.