[CentOS] SELinux vs. logwatch and virsh

Daniel J Walsh dwalsh at redhat.com
Fri Aug 15 15:22:40 UTC 2014 

On 08/14/2014 11:02 AM, Bill Gee wrote:
> Hello everyone -
>
> I am stumped ...  Does anyone have suggestions on how to proceed?  Is there a way 
> to get what I want?
>
> The environment:  CentOS 7.0 with latest patches. 
>
> The goal:  I want logwatch to include a report on the status of kvm virtual computers.
>
> The problem:  When run from anacron, SELinux denies permission for the virsh utility.  
> Here is a portion of the logwatch output:
>
> --------------------- KVM libvirt status report Begin ------------------------ 
>
>  Date Range: yesterday
>  /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission denied
>  
> ---------------------- KVM libvirt status report End ------------------------- 
>
> If I "run-parts  /etc/cron.daily" from a root console, it all works.  Same if I run "logwatch" 
> from a root console.
>
> I set SELinux to permissive and that allows virsh to run.  Therefore I know it is 
> something to do with SELinux.
>
> The logwatch script is:
>
> 	#Lots of comments
> 	/usr/bin/virsh list --all
>
> I see the selinux security context of virsh is
>
> 	system_u:object_r:virsh_exec_t:s0
>
> while logwatch.pl runs as 
>
> 	system_u:object_r:logwatch_exec_t:s0
>
> As I understand it, selinux does not permit having multiple type settings for a file.  Any 
> file can have exactly one type setting.  
>
> I ran this command hoping it would add another type to the virsh program.
>
> 	semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh
>
> 	semanage fcontext --list /usr/bin/virsh | grep virsh
> /usr/bin/virsh                                     all files         
> system_u:object_r:logwatch_exec_t:s0 
> /usr/bin/virsh                                     regular file      system_u:object_r:virsh_exec_t:s0 
> /usr/sbin/xl                                       regular file      system_u:object_r:virsh_exec_t:s0 
> /usr/sbin/xm                                       regular file      system_u:object_r:virsh_exec_t:s0 
>
> Semanage did add the new type, but that did not fix the problem.  Virsh still gets 
> "permission denied" when logwatch tries to run it.
>
> Thanks - Bill Gee
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
BTW if you think this is something we should do in general in such a way
as logwatch can only look at the content in Read Only mode, then we
might want it to become default.

More information about the CentOS mailing list