On Thursday, August 28, 2014 16:07:18 Jonathan Billings wrote:
On Thu, Aug 28, 2014 at 10:29:50AM -0500, Bill Gee wrote:
Hmmm....... OK, let's go back to my original goal. I want logwatch to include the output of "hddtemp /dev/sda" and "virsh --list all" in its daily reports. How is that to be accomplished?
Based on what you said above, I think the way to accomplish it is to add some SELinux entry points to logwatch. Cron is not the problem since it apparently already has an entry point to logwatch.
It doesn't look like the EL6 policy sets a special file context on logwatch (at least, matchpathcon /usr/sbin/logwatch just says it's bin_t) so I think it must be still operating under Cron's context.
When I ran "audit2allow" and "semodule -i" commands, was that defining some new entry points?
Is there a way to see the entry points already defined for a given SELinux type?
If you have the 'selinux-policy-doc' package installed, the man pages for the various services (man crond_selinux, for example) will list the entry points. That's probably the easiest, however, if I look at the 'xm_selinux' man page (virsh has xm_exec_t as the file context) I see the only entry point for the xm_t domain is currently defined is xm_exec_t. This means that the custom policy module will need to allow crond_t to execute xm_exec_t to transition to xm_t (I think). I'm sure someone with SELinux policy experience could comment further.
I think a bit of background got lost. There have been several threads going around on this ... For this I am using CentOS 7.
The SELinux types are set like this:
-rwxr-xr-x. root root system_u:object_r:logwatch_exec_t:s0 /usr/share/logwatch/scripts/logwatch.pl -rwxr-xr-x. root root system_u:object_r:virsh_exec_t:s0 /usr/bin/virsh -rwxr-xr-x. root root system_u:object_r:crond_exec_t:s0 /usr/sbin/crond -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/sbin/hddtemp
In CentOS7 there is no package called selinux-policy-doc. I do have man pages with names like crond_selinux. I see entrypoints described in those pages, but I don't have any idea how to use them.
How can I tell SELinux that logwatch_T is permitted to use virsh_t? And for hddtemp, how can I tell SELinux that logwatch_t is permitted to read block devices?
I tried creating modules using audit2allow, but that did not work.
As an experiment, I have made logwatch_t permissive. It works. I now see both hddtemp and virsh output in the logwatch daily report.
semanage permissive -a logwatch_t
Although it works, it seems to me this is not the right way to do it. It is better than setting the whole system to permissive.
Thanks - Bill Gee