On Thu, Aug 28, 2014 at 10:29:50AM -0500, Bill Gee wrote: > Hmmm....... OK, let's go back to my original goal. I want > logwatch to include the output of "hddtemp /dev/sda" and "virsh > --list all" in its daily reports. How is that to be accomplished? > > Based on what you said above, I think the way to accomplish it is to > add some SELinux entry points to logwatch. Cron is not the problem > since it apparently already has an entry point to logwatch. It doesn't look like the EL6 policy sets a special file context on logwatch (at least, matchpathcon /usr/sbin/logwatch just says it's bin_t) so I think it must be still operating under Cron's context. > When I ran "audit2allow" and "semodule -i" commands, was that > defining some new entry points? > > Is there a way to see the entry points already defined for a given > SELinux type? If you have the 'selinux-policy-doc' package installed, the man pages for the various services (man crond_selinux, for example) will list the entry points. That's probably the easiest, however, if I look at the 'xm_selinux' man page (virsh has xm_exec_t as the file context) I see the only entry point for the xm_t domain is currently defined is xm_exec_t. This means that the custom policy module will need to allow crond_t to execute xm_exec_t to transition to xm_t (I think). I'm sure someone with SELinux policy experience could comment further. -- Jonathan Billings <billings at negate.org>