[CentOS] SELinux vs. virsh

Fri Aug 29 12:46:54 UTC 2014
Bill Gee <bgee at campercaver.net>

On Thursday, August 28, 2014 16:07:18 Jonathan Billings wrote:
> On Thu, Aug 28, 2014 at 10:29:50AM -0500, Bill Gee wrote:
> > Hmmm.......   OK, let's go back to my original goal.  I want
> > logwatch to include the output of "hddtemp /dev/sda" and "virsh
> > --list all" in its daily reports.  How is that to be accomplished?
> > 
> > Based on what you said above, I think the way to accomplish it is to
> > add some SELinux entry points to logwatch.  Cron is not the problem
> > since it apparently already has an entry point to logwatch.
> 
> It doesn't look like the EL6 policy sets a special file context on
> logwatch (at least, matchpathcon /usr/sbin/logwatch just says it's
> bin_t) so I think it must be still operating under Cron's context.
> 
> > When I ran "audit2allow" and "semodule -i" commands, was that
> > defining some new entry points?
> > 
> > Is there a way to see the entry points already defined for a given
> > SELinux type?
> 
> If you have the 'selinux-policy-doc' package installed, the man pages
> for the various services (man crond_selinux, for example) will list
> the entry points.  That's probably the easiest, however, if I look at
> the 'xm_selinux' man page (virsh has xm_exec_t as the file context) I
> see the only entry point for the xm_t domain is currently defined is
> xm_exec_t.  This means that the custom policy module will need to
> allow crond_t to execute xm_exec_t to transition to xm_t (I think).
> I'm sure someone with SELinux policy experience could comment further.

I think a bit of background got lost.  There have been several threads going 
around on this ...  For this I am using CentOS 7.  

The SELinux types are set like this:

-rwxr-xr-x. root root system_u:object_r:logwatch_exec_t:s0 
/usr/share/logwatch/scripts/logwatch.pl
-rwxr-xr-x. root root system_u:object_r:virsh_exec_t:s0 /usr/bin/virsh
-rwxr-xr-x. root root system_u:object_r:crond_exec_t:s0 /usr/sbin/crond
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/local/sbin/hddtemp

In CentOS7 there is no package called selinux-policy-doc.  I do have man pages 
with names like crond_selinux.  I see entrypoints described in those pages, 
but I don't have any idea how to use them.  

How can I tell SELinux that logwatch_T is permitted to use virsh_t?  And for 
hddtemp, how can I tell SELinux that logwatch_t is permitted to read block 
devices?

I tried creating modules using audit2allow, but that did not work.

As an experiment, I have made logwatch_t permissive.  It works.  I now see 
both hddtemp and virsh output in the logwatch daily report.

semanage permissive -a logwatch_t

Although it works, it seems to me this is not the right way to do it.  It is 
better than setting the whole system to permissive.

Thanks - Bill Gee