On Thu, Aug 28, 2014 at 10:29:50AM -0500, Bill Gee wrote:
Hmmm....... OK, let's go back to my original goal. I want logwatch to include the output of "hddtemp /dev/sda" and "virsh --list all" in its daily reports. How is that to be accomplished?
Based on what you said above, I think the way to accomplish it is to add some SELinux entry points to logwatch. Cron is not the problem since it apparently already has an entry point to logwatch.
It doesn't look like the EL6 policy sets a special file context on logwatch (at least, matchpathcon /usr/sbin/logwatch just says it's bin_t) so I think it must be still operating under Cron's context.
When I ran "audit2allow" and "semodule -i" commands, was that defining some new entry points?
Is there a way to see the entry points already defined for a given SELinux type?
If you have the 'selinux-policy-doc' package installed, the man pages for the various services (man crond_selinux, for example) will list the entry points. That's probably the easiest, however, if I look at the 'xm_selinux' man page (virsh has xm_exec_t as the file context) I see the only entry point for the xm_t domain is currently defined is xm_exec_t. This means that the custom policy module will need to allow crond_t to execute xm_exec_t to transition to xm_t (I think). I'm sure someone with SELinux policy experience could comment further.