On 08/14/2014 11:02 AM, Bill Gee wrote:
Hello everyone -
I am stumped ... Does anyone have suggestions on how to proceed? Is there a way to get what I want?
The environment: CentOS 7.0 with latest patches.
The goal: I want logwatch to include a report on the status of kvm virtual computers.
The problem: When run from anacron, SELinux denies permission for the virsh utility. Here is a portion of the logwatch output:
--------------------- KVM libvirt status report Begin ------------------------
Date Range: yesterday /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission denied
---------------------- KVM libvirt status report End -------------------------
If I "run-parts /etc/cron.daily" from a root console, it all works. Same if I run "logwatch" from a root console.
I set SELinux to permissive and that allows virsh to run. Therefore I know it is something to do with SELinux.
The logwatch script is:
#Lots of comments /usr/bin/virsh list --all
I see the selinux security context of virsh is
system_u:object_r:virsh_exec_t:s0
while logwatch.pl runs as
system_u:object_r:logwatch_exec_t:s0
As I understand it, selinux does not permit having multiple type settings for a file. Any file can have exactly one type setting.
I ran this command hoping it would add another type to the virsh program.
semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh
semanage fcontext --list /usr/bin/virsh | grep virsh /usr/bin/virsh all files system_u:object_r:logwatch_exec_t:s0 /usr/bin/virsh regular file system_u:object_r:virsh_exec_t:s0 /usr/sbin/xl regular file system_u:object_r:virsh_exec_t:s0 /usr/sbin/xm regular file system_u:object_r:virsh_exec_t:s0
Semanage did add the new type, but that did not fix the problem. Virsh still gets "permission denied" when logwatch tries to run it.
Thanks - Bill Gee _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
BTW if you think this is something we should do in general in such a way as logwatch can only look at the content in Read Only mode, then we might want it to become default.