[CentOS] SELinux vs. virsh

Bill Gee bgee at campercaver.net
Thu Aug 28 15:29:50 UTC 2014 

On Thursday, August 28, 2014 10:20:06 Jonathan Billings wrote:
> On Thu, Aug 28, 2014 at 08:16:58AM -0500, Bill Gee wrote:
> > But that means that SELinux contexts are NOT stable ...  They are
> > NOT the same for all instances of a process.  It seems to me that
> > defeats the whole purpose of SELinux.
> 
> I think you're confusing the account the process is running under with
> the context in which its run.  SELinux doesn't really "know" anything
> about what daemon is running or what user is running them, it just
> understands that crond is run with a context, and that the SELinux
> policy allows that process to start certain executables with the
> appropriate file context, and possibly transitioning to a target
> domain.
> 
> Your root user is unconfined (assuming you haven't done otherwise), so
> there aren't any restrictions on what it can transition to.
> 
> The Cron daemon, when run with SELinux with a process context, can
> only access files and start processes as defined by the SELinux
> policy, and can transition to certain domains through defined 'entry
> points', or executables with a defined file context.
> 
> Process transitions are good for cron, because it limits cron to only
> starting processes properly tagged to enter into that domain, and once
> the subprocesses have started, they're now confined to what their domain
> allows.  This means that your cron job that rotates httpd's logs can't
> also start up a sshd on port 22 (for example), even though it is
> running as root.


Hmmm.......   OK, let's go back to my original goal.  I want logwatch to 
include the output of "hddtemp /dev/sda" and "virsh --list all" in its daily 
reports.  How is that to be accomplished?

Based on what you said above, I think the way to accomplish it is to add some 
SELinux entry points to logwatch.  Cron is not the problem since it apparently 
already has an entry point to logwatch.

When I ran "audit2allow" and "semodule -i" commands, was that defining some new 
entry points?

Is there a way to see the entry points already defined for a given SELinux 
type?

Thanks - Bill Gee

More information about the CentOS mailing list