[CentOS] SELinux vs. logwatch and virsh
Daniel J Walsh
dwalsh at redhat.com
Fri Aug 15 15:22:40 UTC 2014
On 08/14/2014 11:02 AM, Bill Gee wrote:
> Hello everyone -
>
> I am stumped ... Does anyone have suggestions on how to proceed? Is there a way
> to get what I want?
>
> The environment: CentOS 7.0 with latest patches.
>
> The goal: I want logwatch to include a report on the status of kvm virtual computers.
>
> The problem: When run from anacron, SELinux denies permission for the virsh utility.
> Here is a portion of the logwatch output:
>
> --------------------- KVM libvirt status report Begin ------------------------
>
> Date Range: yesterday
> /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission denied
>
> ---------------------- KVM libvirt status report End -------------------------
>
> If I "run-parts /etc/cron.daily" from a root console, it all works. Same if I run "logwatch"
> from a root console.
>
> I set SELinux to permissive and that allows virsh to run. Therefore I know it is
> something to do with SELinux.
>
> The logwatch script is:
>
> #Lots of comments
> /usr/bin/virsh list --all
>
> I see the selinux security context of virsh is
>
> system_u:object_r:virsh_exec_t:s0
>
> while logwatch.pl runs as
>
> system_u:object_r:logwatch_exec_t:s0
>
> As I understand it, selinux does not permit having multiple type settings for a file. Any
> file can have exactly one type setting.
>
> I ran this command hoping it would add another type to the virsh program.
>
> semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh
>
> semanage fcontext --list /usr/bin/virsh | grep virsh
> /usr/bin/virsh all files
> system_u:object_r:logwatch_exec_t:s0
> /usr/bin/virsh regular file system_u:object_r:virsh_exec_t:s0
> /usr/sbin/xl regular file system_u:object_r:virsh_exec_t:s0
> /usr/sbin/xm regular file system_u:object_r:virsh_exec_t:s0
>
> Semanage did add the new type, but that did not fix the problem. Virsh still gets
> "permission denied" when logwatch tries to run it.
>
> Thanks - Bill Gee
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
BTW if you think this is something we should do in general in such a way
as logwatch can only look at the content in Read Only mode, then we
might want it to become default.
More information about the CentOS
mailing list