[CentOS] SELinux vs. virsh

Thu Aug 28 20:07:18 UTC 2014
Jonathan Billings <billings at negate.org>

On Thu, Aug 28, 2014 at 10:29:50AM -0500, Bill Gee wrote:
> Hmmm.......   OK, let's go back to my original goal.  I want
> logwatch to include the output of "hddtemp /dev/sda" and "virsh
> --list all" in its daily reports.  How is that to be accomplished?
> Based on what you said above, I think the way to accomplish it is to
> add some SELinux entry points to logwatch.  Cron is not the problem
> since it apparently already has an entry point to logwatch.

It doesn't look like the EL6 policy sets a special file context on
logwatch (at least, matchpathcon /usr/sbin/logwatch just says it's
bin_t) so I think it must be still operating under Cron's context. 

> When I ran "audit2allow" and "semodule -i" commands, was that
> defining some new entry points?
> Is there a way to see the entry points already defined for a given
> SELinux type?

If you have the 'selinux-policy-doc' package installed, the man pages
for the various services (man crond_selinux, for example) will list
the entry points.  That's probably the easiest, however, if I look at
the 'xm_selinux' man page (virsh has xm_exec_t as the file context) I
see the only entry point for the xm_t domain is currently defined is
xm_exec_t.  This means that the custom policy module will need to
allow crond_t to execute xm_exec_t to transition to xm_t (I think).
I'm sure someone with SELinux policy experience could comment further.

Jonathan Billings <billings at negate.org>