On 08/14/2014 11:02 AM, Bill Gee wrote: > Hello everyone - > > I am stumped ... Does anyone have suggestions on how to proceed? Is there a way > to get what I want? > > The environment: CentOS 7.0 with latest patches. > > The goal: I want logwatch to include a report on the status of kvm virtual computers. > > The problem: When run from anacron, SELinux denies permission for the virsh utility. > Here is a portion of the logwatch output: > > --------------------- KVM libvirt status report Begin ------------------------ > > Date Range: yesterday > /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission denied > > ---------------------- KVM libvirt status report End ------------------------- > > If I "run-parts /etc/cron.daily" from a root console, it all works. Same if I run "logwatch" > from a root console. > > I set SELinux to permissive and that allows virsh to run. Therefore I know it is > something to do with SELinux. > > The logwatch script is: > > #Lots of comments > /usr/bin/virsh list --all > > I see the selinux security context of virsh is > > system_u:object_r:virsh_exec_t:s0 > > while logwatch.pl runs as > > system_u:object_r:logwatch_exec_t:s0 > > As I understand it, selinux does not permit having multiple type settings for a file. Any > file can have exactly one type setting. > > I ran this command hoping it would add another type to the virsh program. > > semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh > > semanage fcontext --list /usr/bin/virsh | grep virsh > /usr/bin/virsh all files > system_u:object_r:logwatch_exec_t:s0 > /usr/bin/virsh regular file system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xl regular file system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xm regular file system_u:object_r:virsh_exec_t:s0 > > Semanage did add the new type, but that did not fix the problem. Virsh still gets > "permission denied" when logwatch tries to run it. > > Thanks - Bill Gee > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos What AVC messages are you seeing? ausearch -m avc -ts recent. I would put the machine in permissive mode, run your tests and then add the allow rules using audit2allow -M mylogwatch