On Sunday, August 24, 2014 06:45:14 Daniel J Walsh wrote: > On 08/23/2014 10:45 AM, Bill Gee wrote: > > On Friday, August 22, 2014 08:50:26 Daniel J Walsh wrote: > >> On 08/21/2014 10:03 AM, Bill Gee wrote: > >>> On Thursday, August 21, 2014 12:00:03 centos-request at centos.org wrote: > >>>> Re: [CentOS] SELinux vs. logwatch and virsh > >>>> From: Daniel J Walsh <dwalsh at redhat.com> > >>>> To: CentOS mailing list <centos at centos.org> > >>>> > >>>> On 08/18/2014 02:13 PM, Bill Gee wrote: > >>>>> Hi Dan - > >>>>> > >>>>> "ausearch -m avc -ts recent" produces no output. If I run it as > >>>>> "ausearch > >>>>> -f virsh" then it produces output similar to this. Each day's run of > >>>>> logwatch produces three of these audit log entries. The a1 and a2 > >>>>> values > >>>>> are different for each entry, but everything else is the same. > >>>>> > >>>>> =============== > >>>>> time->Mon Aug 18 03:21:03 2014 > >>>>> type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e syscall=21 > >>>>> success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640 > >>>>> items=0 ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 > >>>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash" > >>>>> exe="/usr/bin/bash" > >>>>> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) > >>>>> type=AVC msg=audit(1408350063.257:7492): avc: denied { read } > >>>>> for pid=2816 comm="bash" name="virsh" dev="dm-0" ino=135911290 > >>>>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 > >>>>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file > >>>>> =============== > >>>>> > >>>>> I thought about using audit2allow as you suggest. The problem is then > >>>>> I > >>>>> don't really know what change is required. What exactly will it > >>>>> do? And is there a guarantee that it will work? > >>>> > >>>> logwatch is executing virsh probably to communicate with libvirt to > >>>> rotate logs or something. You can look in /etc/logrotate.d for a > >>>> script > >>>> with virsh to tell you what the command is trying to do. > >>> > >>> Hi Dan - > >>> > >>> I know EXACTLY what virsh is being called for. I wrote the script! It > >>> has > >>> nothing to do with logrotate. I want virsh to tell logwatch what the > >>> status is of all virtual machines running on the host. Logwatch will > >>> then include that in its daily summary report. SELinux is getting in > >>> the > >>> way. > >>> > >>> Regards - Bill Gee > >>> _______________________________________________ > >>> CentOS mailing list > >>> CentOS at centos.org > >>> http://lists.centos.org/mailman/listinfo/centos > >> > >> Well logrotate is calling the script, and you just need to add the allow > >> rules to allow logrotate to execute the script and communicate with > >> libvirt. Or you need to run the script in a separate cron job to > >> collect the data before the logrotate script runs. > >> > >> _______________________________________________ > >> CentOS mailing list > >> CentOS at centos.org > >> http://lists.centos.org/mailman/listinfo/centos > > > > Hi Dan - > > > > Oops, I screwed up the subject line on the last posting. Hopefully > > corrected with this message. > > > > Comment - I changed my configuration so that virsh is run by a script in > > cron.daily rather than being called from logwatch. It saves output to a > > file in /tmp. Logwatch was changed to simply "cat" the file. However, > > this STILL produces an SELinux violation. I am not any closer to the > > goal. > > > > Question - How do I add an "allow" rule to SELinux? What exactly is to be > > allowed and how is SELinux told to do it? > > > > Here is what ausearch finds: > > > > ===================== > > time->Sat Aug 23 03:06:04 2014 > > type=SYSCALL msg=audit(1408781164.014:1373): arch=c000003e syscall=2 > > success=no exit=-13 a0=7fffb24e3da6 a1=0 a2=1fffffffffff0000 > > a3=7fffb24e31d0 items=0 ppid=25741 pid=25742 auid=0 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=127 comm="cat" > > exe="/usr/bin/cat" > > subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) > > type=AVC msg=audit(1408781164.014:1373): avc: denied { open } for > > pid=25742 comm="cat" path="/tmp/libvirt-status" dev="dm-0" ino=768471 > > scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file > > > > ===================== > > > > Observation - My original idea on this is to have logwatch execute virsh > > directly. I know it is possible to make that work. The same computer has > > two other logwatch items that I created. One of them runs uptime and the > > other runs sensors. Both work perfectly. I see that the uptime and > > sensors programs are set for SELinux type=bin_t, which is not the same as > > what virsh is set for. I think what I need to do is figure out how to > > ADD (not replace) a new type on the virsh program. > > > > Thanks - Bill Gee > > > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > Change your script to write it to /var/log/virsh.log, then everything > should work. I recommend that no priv process ever write to /tmp, /tmp > is for users. > > logwatch can read log files, so SELinux requires it to have a log > label. The default label for anything create in /var/log is var_log_t, > which is a log label. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos I tried both /var/log and /var/cache/logwatch. SELinux denies write permission in both. Here is what ausearch shows: ===================== time->Mon Aug 25 03:20:02 2014 type=SYSCALL msg=audit(1408954802.018:3920): arch=c000003e syscall=59 success=yes exit=0 a0=1704490 a1=1703c60 a2=1704f40 a3=0 items=0 ppid=27898 pid=27900 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=469 comm="virsh" exe="/usr/bin/virsh" subj=system_u:system_r:virsh_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1408954802.018:3920): avc: denied { write } for pid=27900 comm="virsh" path="/var/log/libvirt-status" dev="dm-0" ino=203140363 scontext=system_u:system_r:virsh_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_log_t:s0 tclass=file ====================== It only fails when run by cron. If I do "run-parts /etc/cron.daily" from a root login, then everything works as it should. Bill Gee