On 08/18/2014 02:13 PM, Bill Gee wrote: > Hi Dan - > > "ausearch -m avc -ts recent" produces no output. If I run it as "ausearch -f > virsh" then it produces output similar to this. Each day's run of logwatch > produces three of these audit log entries. The a1 and a2 values are different > for each entry, but everything else is the same. > > =============== > time->Mon Aug 18 03:21:03 2014 > type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e syscall=21 > success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640 items=0 > ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=981 comm="bash" exe="/usr/bin/bash" > subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1408350063.257:7492): avc: denied { read } for pid=2816 > comm="bash" name="virsh" dev="dm-0" ino=135911290 > scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file > =============== > > I thought about using audit2allow as you suggest. The problem is then I don't > really know what change is required. What exactly will it do? And is there a > guarantee that it will work? logwatch is executing virsh probably to communicate with libvirt to rotate logs or something. You can look in /etc/logrotate.d for a script with virsh to tell you what the command is trying to do. > Regarding your general question ... It seems to me that logwatch can be used > to provide feedback on operational status of almost anything on the system. > If you go beyond the typical reading of log files, then that often requires > running some script or utility program or something. Anytime that is done, I > think this kind of problem will appear. Right, but I am looking for packages that drop logrotate scripts rather then just thowing in the tile and saying lograte is an unconfined domain. If a package ships a script that SELinux will break, I want to know what is the risk of a hacked logrotate executable causing havoc on a system. Potentially I can add a boolean to policy to allow the access but deny it by default. > Much of what logwatch does is running files through "cat". That process runs > as "bin_t" which must be a general type. I wonder what would happen if I > changed virsh to the same type. You could try that, I think you will end up with other AVC's concerning logratote talking to libvirt. > For what it is worth, I have another computer running CentOS 6.5 and > VirtualBox. The VBoxManage program must run as the same user which is running > the virtual machines, which frustrates me to no end. I finally figured out a > way to work around it by setting up a user cron job under that user. It saves > the output to a text file. The logwatch script then comes along and reads that > file into its output. It works, but it is not ideal. There are obvious > problems with synchronization, plus if a computer is running VMs under > multiple user accounts, then multiple user cron jobs are needed. > > Thanks - Bill Gee > > > ============================= >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos > What AVC messages are you seeing? > > ausearch -m avc -ts recent. > I would put the machine in permissive mode, run your tests and then add > the allow rules using > > audit2allow -M mylogwatch > > > > > > Message: 8 > Date: Fri, 15 Aug 2014 11:22:40 -0400 > From: Daniel J Walsh <dwalsh at redhat.com> > Subject: Re: [CentOS] SELinux vs. logwatch and virsh > To: CentOS mailing list <centos at centos.org> > Message-ID: <53EE25C0.3040404 at redhat.com> > Content-Type: text/plain; charset=windows-1252 > > > On 08/14/2014 11:02 AM, Bill Gee wrote: >> Hello everyone - >> >> I am stumped ... Does anyone have suggestions on how to proceed? Is there > a way >> to get what I want? >> >> The environment: CentOS 7.0 with latest patches. >> >> The goal: I want logwatch to include a report on the status of kvm virtual > computers. >> The problem: When run from anacron, SELinux denies permission for the virsh > utility. >> Here is a portion of the logwatch output: >> >> --------------------- KVM libvirt status report Begin > ------------------------ >> Date Range: yesterday >> /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission > denied >> >> ---------------------- KVM libvirt status report End > ------------------------- >> If I "run-parts /etc/cron.daily" from a root console, it all works. Same > if I run "logwatch" >> from a root console. >> >> I set SELinux to permissive and that allows virsh to run. Therefore I know > it is >> something to do with SELinux. >> >> The logwatch script is: >> >> #Lots of comments >> /usr/bin/virsh list --all >> >> I see the selinux security context of virsh is >> >> system_u:object_r:virsh_exec_t:s0 >> >> while logwatch.pl runs as >> >> system_u:object_r:logwatch_exec_t:s0 >> >> As I understand it, selinux does not permit having multiple type settings > for a file. Any >> file can have exactly one type setting. >> >> I ran this command hoping it would add another type to the virsh program. >> >> semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh >> >> semanage fcontext --list /usr/bin/virsh | grep virsh >> /usr/bin/virsh all files >> system_u:object_r:logwatch_exec_t:s0 >> /usr/bin/virsh regular file > system_u:object_r:virsh_exec_t:s0 >> /usr/sbin/xl regular file > system_u:object_r:virsh_exec_t:s0 >> /usr/sbin/xm regular file > system_u:object_r:virsh_exec_t:s0 >> Semanage did add the new type, but that did not fix the problem. Virsh still > gets >> "permission denied" when logwatch tries to run it. >> >> Thanks - Bill Gee >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/mailman/listinfo/centos > BTW if you think this is something we should do in general in such a way > as logwatch can only look at the content in Read Only mode, then we > might want it to become default. > > > > > ------------------------------ > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos