On Sunday, August 24, 2014 06:45:14 Daniel J Walsh wrote: > On 08/23/2014 10:45 AM, Bill Gee wrote: > > On Friday, August 22, 2014 08:50:26 Daniel J Walsh wrote: > >> On 08/21/2014 10:03 AM, Bill Gee wrote: > >>> On Thursday, August 21, 2014 12:00:03 centos-request at centos.org wrote: > >>>> Re: [CentOS] SELinux vs. logwatch and virsh > >>>> From: Daniel J Walsh <dwalsh at redhat.com> > >>>> To: CentOS mailing list <centos at centos.org> > >>>> > >>>> On 08/18/2014 02:13 PM, Bill Gee wrote: > >>>>> Hi Dan - > >>>>> > >>>>> "ausearch -m avc -ts recent" produces no output. If I run it as > >>>>> "ausearch > >>>>> -f virsh" then it produces output similar to this. Each day's run of > >>>>> logwatch produces three of these audit log entries. The a1 and a2 > >>>>> values > >>>>> are different for each entry, but everything else is the same. > >>>>> > >>>>> =============== > >>>>> time->Mon Aug 18 03:21:03 2014 > >>>>> type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e syscall=21 > >>>>> success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640 > >>>>> items=0 ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 > >>>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash" > >>>>> exe="/usr/bin/bash" > >>>>> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) > >>>>> type=AVC msg=audit(1408350063.257:7492): avc: denied { read } > >>>>> for pid=2816 comm="bash" name="virsh" dev="dm-0" ino=135911290 > >>>>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 > >>>>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file > >>>>> =============== > >>>>> > >>>>> I thought about using audit2allow as you suggest. The problem is then > >>>>> I > >>>>> don't really know what change is required. What exactly will it > >>>>> do? And is there a guarantee that it will work? > >>>> > >>>> logwatch is executing virsh probably to communicate with libvirt to > >>>> rotate logs or something. You can look in /etc/logrotate.d for a > >>>> script > >>>> with virsh to tell you what the command is trying to do. > >>> > >>> Hi Dan - > >>> > >>> I know EXACTLY what virsh is being called for. I wrote the script! It > >>> has > >>> nothing to do with logrotate. I want virsh to tell logwatch what the > >>> status is of all virtual machines running on the host. Logwatch will > >>> then include that in its daily summary report. SELinux is getting in > >>> the > >>> way. > >>> > >>> Regards - Bill Gee > >>> _______________________________________________ > >>> CentOS mailing list > >>> CentOS at centos.org > >>> http://lists.centos.org/mailman/listinfo/centos > >> > >> Well logrotate is calling the script, and you just need to add the allow > >> rules to allow logrotate to execute the script and communicate with > >> libvirt. Or you need to run the script in a separate cron job to > >> collect the data before the logrotate script runs. > >> > >> _______________________________________________ > >> CentOS mailing list > >> CentOS at centos.org > >> http://lists.centos.org/mailman/listinfo/centos > > > > Hi Dan - > > > > Oops, I screwed up the subject line on the last posting. Hopefully > > corrected with this message. > > > > Comment - I changed my configuration so that virsh is run by a script in > > cron.daily rather than being called from logwatch. It saves output to a > > file in /tmp. Logwatch was changed to simply "cat" the file. However, > > this STILL produces an SELinux violation. I am not any closer to the > > goal. > > > > Question - How do I add an "allow" rule to SELinux? What exactly is to be > > allowed and how is SELinux told to do it? > > > > Here is what ausearch finds: > > > > ===================== > > time->Sat Aug 23 03:06:04 2014 > > type=SYSCALL msg=audit(1408781164.014:1373): arch=c000003e syscall=2 > > success=no exit=-13 a0=7fffb24e3da6 a1=0 a2=1fffffffffff0000 > > a3=7fffb24e31d0 items=0 ppid=25741 pid=25742 auid=0 uid=0 gid=0 euid=0 > > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=127 comm="cat" > > exe="/usr/bin/cat" > > subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) > > type=AVC msg=audit(1408781164.014:1373): avc: denied { open } for > > pid=25742 comm="cat" path="/tmp/libvirt-status" dev="dm-0" ino=768471 > > scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 > > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file > > > > ===================== > > > > Observation - My original idea on this is to have logwatch execute virsh > > directly. I know it is possible to make that work. The same computer has > > two other logwatch items that I created. One of them runs uptime and the > > other runs sensors. Both work perfectly. I see that the uptime and > > sensors programs are set for SELinux type=bin_t, which is not the same as > > what virsh is set for. I think what I need to do is figure out how to > > ADD (not replace) a new type on the virsh program. > > > > Thanks - Bill Gee > > > > > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > Change your script to write it to /var/log/virsh.log, then everything > should work. I recommend that no priv process ever write to /tmp, /tmp > is for users. > > logwatch can read log files, so SELinux requires it to have a log > label. The default label for anything create in /var/log is var_log_t, > which is a log label. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos Update: I recently added a logwatch script to make it run hddtemp. This was done in the same manner as the scripts for virsh. Hddtemp fails with the same kind of message as virsh. I extracted the audit report using ausearch, submitted it to audit2allow and produced a new policy file. I then imported the new policy file using semodule -i. The new modules does not work. SELinux produces the same "permission denied" message. Here are text versions of the new modules: ===================== module libvirt.pol 1.0; require { type logwatch_t; type virsh_exec_t; class file { read execute }; } #============= logwatch_t ============== allow logwatch_t virsh_exec_t:file { read execute }; module hddtemp.pol 1.0; require { type logwatch_t; type fixed_disk_device_t; class blk_file read; } #============= logwatch_t ============== allow logwatch_t fixed_disk_device_t:blk_file read; ================== I verified that the new modules are loaded by running semodule --list. One really curious thing about this is that I have another custom script for logwatch which is working! I set up a script to run "sensors" and capture its output. The sensors script works correctly. The logwatch scripts for both virsh and hddtemp are the same as the sensors script, except for the command they call. Another curious thing is that it all works perfectly when I "run-parts /etc/cron.daily" from a root login. Why should SELinux regard that as different from when it is run by cron??? Bill Gee