[CentOS] SELinux vs. logwatch and virsh

Mon Aug 18 18:13:42 UTC 2014
Bill Gee <bgee at campercaver.net>

Hi Dan -

"ausearch -m avc -ts recent" produces no output.  If I run it as "ausearch -f 
virsh" then it produces output similar to this.  Each day's run of logwatch 
produces three of these audit log entries.  The a1 and a2 values are different 
for each entry, but everything else is the same.

===============
time->Mon Aug 18 03:21:03 2014
type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e syscall=21 
success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640 items=0 
ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=981 comm="bash" exe="/usr/bin/bash" 
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408350063.257:7492): avc:  denied  { read } for  pid=2816 
comm="bash" name="virsh" dev="dm-0" ino=135911290 
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
===============

I thought about using audit2allow as you suggest.  The problem is then I don't 
really know what change is required.  What exactly will it do?  And is there a 
guarantee that it will work?

Regarding your general question ...  It seems to me that logwatch can be used 
to provide feedback on operational status of almost anything on the system.  
If you go beyond the typical reading of log files, then that often requires 
running some script or utility program or something.  Anytime that is done, I 
think this kind of problem will appear.

Much of what logwatch does is running files through "cat".  That process runs 
as "bin_t" which must be a general type.  I wonder what would happen if I 
changed virsh to the same type.

For what it is worth, I have another computer running CentOS 6.5 and 
VirtualBox.  The VBoxManage program must run as the same user which is running 
the virtual machines, which frustrates me to no end.  I finally figured out a 
way to work around it by setting up a user cron job under that user.  It saves 
the output to a text file.  The logwatch script then comes along and reads that 
file into its output.  It works, but it is not ideal.  There are obvious 
problems with synchronization, plus if a computer is running VMs under 
multiple user accounts, then multiple user cron jobs are needed.

Thanks - Bill Gee


=============================
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
What AVC messages are you seeing?

ausearch -m avc -ts recent.
I would put the machine in permissive mode, run your tests and then add
the allow rules using

audit2allow -M mylogwatch





Message: 8
Date: Fri, 15 Aug 2014 11:22:40 -0400
From: Daniel J Walsh <dwalsh at redhat.com>
Subject: Re: [CentOS] SELinux vs. logwatch and virsh
To: CentOS mailing list <centos at centos.org>
Message-ID: <53EE25C0.3040404 at redhat.com>
Content-Type: text/plain; charset=windows-1252


On 08/14/2014 11:02 AM, Bill Gee wrote:
> Hello everyone -
>
> I am stumped ...  Does anyone have suggestions on how to proceed?  Is there 
a way 
> to get what I want?
>
> The environment:  CentOS 7.0 with latest patches. 
>
> The goal:  I want logwatch to include a report on the status of kvm virtual 
computers.
>
> The problem:  When run from anacron, SELinux denies permission for the virsh 
utility.  
> Here is a portion of the logwatch output:
>
> --------------------- KVM libvirt status report Begin 
------------------------ 
>
>  Date Range: yesterday
>  /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission 
denied
>  
> ---------------------- KVM libvirt status report End 
------------------------- 
>
> If I "run-parts  /etc/cron.daily" from a root console, it all works.  Same 
if I run "logwatch" 
> from a root console.
>
> I set SELinux to permissive and that allows virsh to run.  Therefore I know 
it is 
> something to do with SELinux.
>
> The logwatch script is:
>
>       #Lots of comments
>       /usr/bin/virsh list --all
>
> I see the selinux security context of virsh is
>
>       system_u:object_r:virsh_exec_t:s0
>
> while logwatch.pl runs as 
>
>       system_u:object_r:logwatch_exec_t:s0
>
> As I understand it, selinux does not permit having multiple type settings 
for a file.  Any 
> file can have exactly one type setting.  
>
> I ran this command hoping it would add another type to the virsh program.
>
>       semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh
>
>       semanage fcontext --list /usr/bin/virsh | grep virsh
> /usr/bin/virsh                                     all files         
> system_u:object_r:logwatch_exec_t:s0 
> /usr/bin/virsh                                     regular file      
system_u:object_r:virsh_exec_t:s0 
> /usr/sbin/xl                                       regular file      
system_u:object_r:virsh_exec_t:s0 
> /usr/sbin/xm                                       regular file      
system_u:object_r:virsh_exec_t:s0 
>
> Semanage did add the new type, but that did not fix the problem.  Virsh still 
gets 
> "permission denied" when logwatch tries to run it.
>
> Thanks - Bill Gee
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
BTW if you think this is something we should do in general in such a way
as logwatch can only look at the content in Read Only mode, then we
might want it to become default.




------------------------------