[CentOS] SELinux vs. virsh

Sun Aug 24 10:45:14 UTC 2014
Daniel J Walsh <dwalsh at redhat.com>

On 08/23/2014 10:45 AM, Bill Gee wrote:
> On Friday, August 22, 2014 08:50:26 Daniel J Walsh wrote:
>> On 08/21/2014 10:03 AM, Bill Gee wrote:
>>> On Thursday, August 21, 2014 12:00:03 centos-request at centos.org wrote:
>>>> Re: [CentOS] SELinux vs. logwatch and virsh
>>>> From: Daniel J Walsh <dwalsh at redhat.com>
>>>> To: CentOS mailing list <centos at centos.org>
>>>>
>>>> On 08/18/2014 02:13 PM, Bill Gee wrote:
>>>>> Hi Dan -
>>>>>
>>>>> "ausearch -m avc -ts recent" produces no output.  If I run it as
>>>>> "ausearch
>>>>> -f  virsh" then it produces output similar to this.  Each day's run of
>>>>> logwatch produces three of these audit log entries.  The a1 and a2
>>>>> values
>>>>> are different for each entry, but everything else is the same.
>>>>>
>>>>> ===============
>>>>> time->Mon Aug 18 03:21:03 2014
>>>>> type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e syscall=21
>>>>> success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640
>>>>> items=0  ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash" exe="/usr/bin/bash"
>>>>> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
>>>>> type=AVC msg=audit(1408350063.257:7492): avc:  denied  { read }
>>>>> for  pid=2816  comm="bash" name="virsh" dev="dm-0" ino=135911290
>>>>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
>>>>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
>>>>> ===============
>>>>>
>>>>> I thought about using audit2allow as you suggest.  The problem is then I
>>>>> don't  really know what change is required.  What exactly will it
>>>>> do?  And is there a guarantee that it will work?
>>>> logwatch is executing virsh probably to communicate with libvirt to
>>>> rotate logs or something.  You can look in /etc/logrotate.d for a script
>>>> with virsh to tell you what the command is trying to do.
>>> Hi Dan -
>>>
>>> I know EXACTLY what virsh is being called for.  I wrote the script!  It
>>> has
>>> nothing to do with logrotate.  I want virsh to tell logwatch what the
>>> status is of all virtual machines running on the host.  Logwatch will
>>> then include that in its daily summary report.  SELinux is getting in the
>>> way.
>>>
>>> Regards - Bill Gee
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> http://lists.centos.org/mailman/listinfo/centos
>> Well logrotate is calling the script, and you just need to add the allow
>> rules to allow logrotate to execute the script and communicate with
>> libvirt.   Or you need to run the script in a separate cron job to
>> collect the data before the logrotate script runs.
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>
> Hi Dan -
>
> Oops, I screwed up the subject line on the last posting.  Hopefully corrected 
> with this message.
>
> Comment - I changed my configuration so that virsh is run by a script in 
> cron.daily rather than being called from logwatch.  It saves output to a file 
> in /tmp.  Logwatch was changed to simply "cat" the file.  However, this STILL 
> produces an SELinux violation.  I am not any closer to the goal.
>
> Question - How do I add an "allow" rule to SELinux?  What exactly is to be 
> allowed and how is SELinux told to do it?
>
> Here is what ausearch finds:
>
> =====================
> time->Sat Aug 23 03:06:04 2014
> type=SYSCALL msg=audit(1408781164.014:1373): arch=c000003e syscall=2 
> success=no exit=-13 a0=7fffb24e3da6 a1=0 a2=1fffffffffff0000 a3=7fffb24e31d0 items=0 
> ppid=25741 pid=25742 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=(none) ses=127 comm="cat" exe="/usr/bin/cat" 
> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1408781164.014:1373): avc:  denied  { open } for  pid=25742 
> comm="cat" path="/tmp/libvirt-status" dev="dm-0" ino=768471 
> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>
> =====================
>
> Observation - My original idea on this is to have logwatch execute virsh 
> directly.  I know it is possible to make that work.  The same computer has two 
> other logwatch items that I created.  One of them runs uptime and the other 
> runs sensors.  Both work perfectly.  I see that the uptime and sensors 
> programs are set for SELinux type=bin_t, which is not the same as what virsh 
> is set for.  I think what I need to do is figure out how to ADD (not replace) a 
> new type on the virsh program.
>
> Thanks - Bill Gee
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Change your script to write it to /var/log/virsh.log, then everything
should work.  I recommend that no priv process ever write to /tmp, /tmp
is for users.

logwatch can read log files, so SELinux requires it to have a log
label.  The default label for anything create in /var/log is var_log_t,
which is a log label.