On Sunday, August 24, 2014 06:45:14 Daniel J Walsh wrote:
On 08/23/2014 10:45 AM, Bill Gee wrote:
On Friday, August 22, 2014 08:50:26 Daniel J Walsh wrote:
On 08/21/2014 10:03 AM, Bill Gee wrote:
On Thursday, August 21, 2014 12:00:03 centos-request@centos.org wrote:
Re: [CentOS] SELinux vs. logwatch and virsh From: Daniel J Walsh dwalsh@redhat.com To: CentOS mailing list centos@centos.org
On 08/18/2014 02:13 PM, Bill Gee wrote:
Hi Dan -
"ausearch -m avc -ts recent" produces no output. If I run it as "ausearch -f virsh" then it produces output similar to this. Each day's run of logwatch produces three of these audit log entries. The a1 and a2 values are different for each entry, but everything else is the same.
=============== time->Mon Aug 18 03:21:03 2014 type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e syscall=21 success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640 items=0 ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash" exe="/usr/bin/bash" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1408350063.257:7492): avc: denied { read } for pid=2816 comm="bash" name="virsh" dev="dm-0" ino=135911290 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file ===============
I thought about using audit2allow as you suggest. The problem is then I don't really know what change is required. What exactly will it do? And is there a guarantee that it will work?
logwatch is executing virsh probably to communicate with libvirt to rotate logs or something. You can look in /etc/logrotate.d for a script with virsh to tell you what the command is trying to do.
Hi Dan -
I know EXACTLY what virsh is being called for. I wrote the script! It has nothing to do with logrotate. I want virsh to tell logwatch what the status is of all virtual machines running on the host. Logwatch will then include that in its daily summary report. SELinux is getting in the way.
Regards - Bill Gee _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Well logrotate is calling the script, and you just need to add the allow rules to allow logrotate to execute the script and communicate with libvirt. Or you need to run the script in a separate cron job to collect the data before the logrotate script runs.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi Dan -
Oops, I screwed up the subject line on the last posting. Hopefully corrected with this message.
Comment - I changed my configuration so that virsh is run by a script in cron.daily rather than being called from logwatch. It saves output to a file in /tmp. Logwatch was changed to simply "cat" the file. However, this STILL produces an SELinux violation. I am not any closer to the goal.
Question - How do I add an "allow" rule to SELinux? What exactly is to be allowed and how is SELinux told to do it?
Here is what ausearch finds:
===================== time->Sat Aug 23 03:06:04 2014 type=SYSCALL msg=audit(1408781164.014:1373): arch=c000003e syscall=2 success=no exit=-13 a0=7fffb24e3da6 a1=0 a2=1fffffffffff0000 a3=7fffb24e31d0 items=0 ppid=25741 pid=25742 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=127 comm="cat" exe="/usr/bin/cat" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1408781164.014:1373): avc: denied { open } for pid=25742 comm="cat" path="/tmp/libvirt-status" dev="dm-0" ino=768471 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
=====================
Observation - My original idea on this is to have logwatch execute virsh directly. I know it is possible to make that work. The same computer has two other logwatch items that I created. One of them runs uptime and the other runs sensors. Both work perfectly. I see that the uptime and sensors programs are set for SELinux type=bin_t, which is not the same as what virsh is set for. I think what I need to do is figure out how to ADD (not replace) a new type on the virsh program.
Thanks - Bill Gee
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Change your script to write it to /var/log/virsh.log, then everything should work. I recommend that no priv process ever write to /tmp, /tmp is for users.
logwatch can read log files, so SELinux requires it to have a log label. The default label for anything create in /var/log is var_log_t, which is a log label. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I tried both /var/log and /var/cache/logwatch. SELinux denies write permission in both. Here is what ausearch shows:
===================== time->Mon Aug 25 03:20:02 2014 type=SYSCALL msg=audit(1408954802.018:3920): arch=c000003e syscall=59 success=yes exit=0 a0=1704490 a1=1703c60 a2=1704f40 a3=0 items=0 ppid=27898 pid=27900 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=469 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:virsh_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1408954802.018:3920): avc: denied { write } for pid=27900 comm="virsh" path="/var/log/libvirt-status" dev="dm-0" ino=203140363 scontext=system_u:system_r:virsh_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
======================
It only fails when run by cron. If I do "run-parts /etc/cron.daily" from a root login, then everything works as it should.
Bill Gee