[CentOS] SELinux vs. virsh
Bill Gee
bgee at campercaver.net
Fri Aug 29 12:46:54 UTC 2014
On Thursday, August 28, 2014 16:07:18 Jonathan Billings wrote:
> On Thu, Aug 28, 2014 at 10:29:50AM -0500, Bill Gee wrote:
> > Hmmm....... OK, let's go back to my original goal. I want
> > logwatch to include the output of "hddtemp /dev/sda" and "virsh
> > --list all" in its daily reports. How is that to be accomplished?
> >
> > Based on what you said above, I think the way to accomplish it is to
> > add some SELinux entry points to logwatch. Cron is not the problem
> > since it apparently already has an entry point to logwatch.
>
> It doesn't look like the EL6 policy sets a special file context on
> logwatch (at least, matchpathcon /usr/sbin/logwatch just says it's
> bin_t) so I think it must be still operating under Cron's context.
>
> > When I ran "audit2allow" and "semodule -i" commands, was that
> > defining some new entry points?
> >
> > Is there a way to see the entry points already defined for a given
> > SELinux type?
>
> If you have the 'selinux-policy-doc' package installed, the man pages
> for the various services (man crond_selinux, for example) will list
> the entry points. That's probably the easiest, however, if I look at
> the 'xm_selinux' man page (virsh has xm_exec_t as the file context) I
> see the only entry point for the xm_t domain is currently defined is
> xm_exec_t. This means that the custom policy module will need to
> allow crond_t to execute xm_exec_t to transition to xm_t (I think).
> I'm sure someone with SELinux policy experience could comment further.
I think a bit of background got lost. There have been several threads going
around on this ... For this I am using CentOS 7.
The SELinux types are set like this:
-rwxr-xr-x. root root system_u:object_r:logwatch_exec_t:s0
/usr/share/logwatch/scripts/logwatch.pl
-rwxr-xr-x. root root system_u:object_r:virsh_exec_t:s0 /usr/bin/virsh
-rwxr-xr-x. root root system_u:object_r:crond_exec_t:s0 /usr/sbin/crond
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/local/sbin/hddtemp
In CentOS7 there is no package called selinux-policy-doc. I do have man pages
with names like crond_selinux. I see entrypoints described in those pages,
but I don't have any idea how to use them.
How can I tell SELinux that logwatch_T is permitted to use virsh_t? And for
hddtemp, how can I tell SELinux that logwatch_t is permitted to read block
devices?
I tried creating modules using audit2allow, but that did not work.
As an experiment, I have made logwatch_t permissive. It works. I now see
both hddtemp and virsh output in the logwatch daily report.
semanage permissive -a logwatch_t
Although it works, it seems to me this is not the right way to do it. It is
better than setting the whole system to permissive.
Thanks - Bill Gee
More information about the CentOS
mailing list