On 08/21/2014 10:03 AM, Bill Gee wrote: > On Thursday, August 21, 2014 12:00:03 centos-request at centos.org wrote: >> Re: [CentOS] SELinux vs. logwatch and virsh >> From: Daniel J Walsh <dwalsh at redhat.com> >> To: CentOS mailing list <centos at centos.org> >> >> On 08/18/2014 02:13 PM, Bill Gee wrote: >>> Hi Dan - >>> >>> "ausearch -m avc -ts recent" produces no output. If I run it as "ausearch >>> -f virsh" then it produces output similar to this. Each day's run of >>> logwatch produces three of these audit log entries. The a1 and a2 values >>> are different for each entry, but everything else is the same. >>> >>> =============== >>> time->Mon Aug 18 03:21:03 2014 >>> type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e syscall=21 >>> success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640 >>> items=0 ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 >>> egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash" exe="/usr/bin/bash" >>> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) >>> type=AVC msg=audit(1408350063.257:7492): avc: denied { read } >>> for pid=2816 comm="bash" name="virsh" dev="dm-0" ino=135911290 >>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 >>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file >>> =============== >>> >>> I thought about using audit2allow as you suggest. The problem is then I >>> don't really know what change is required. What exactly will it >>> do? And is there a guarantee that it will work? >> logwatch is executing virsh probably to communicate with libvirt to >> rotate logs or something. You can look in /etc/logrotate.d for a script >> with virsh to tell you what the command is trying to do. > Hi Dan - > > I know EXACTLY what virsh is being called for. I wrote the script! It has > nothing to do with logrotate. I want virsh to tell logwatch what the status > is of all virtual machines running on the host. Logwatch will then include > that in its daily summary report. SELinux is getting in the way. > > Regards - Bill Gee > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos Well logrotate is calling the script, and you just need to add the allow rules to allow logrotate to execute the script and communicate with libvirt. Or you need to run the script in a separate cron job to collect the data before the logrotate script runs.