Re: SELinux vs. virsh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Sunday, August 24, 2014 06:45:14 Daniel J Walsh wrote:
> On 08/23/2014 10:45 AM, Bill Gee wrote:
> > On Friday, August 22, 2014 08:50:26 Daniel J Walsh wrote:
> >> On 08/21/2014 10:03 AM, Bill Gee wrote:
> >>> On Thursday, August 21, 2014 12:00:03 centos-request@xxxxxxxxxx wrote:
> >>>> Re:  SELinux vs. logwatch and virsh
> >>>> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> >>>> To: CentOS mailing list <centos@xxxxxxxxxx>
> >>>> 
> >>>> On 08/18/2014 02:13 PM, Bill Gee wrote:
> >>>>> Hi Dan -
> >>>>> 
> >>>>> "ausearch -m avc -ts recent" produces no output.  If I run it as
> >>>>> "ausearch
> >>>>> -f  virsh" then it produces output similar to this.  Each day's run of
> >>>>> logwatch produces three of these audit log entries.  The a1 and a2
> >>>>> values
> >>>>> are different for each entry, but everything else is the same.
> >>>>> 
> >>>>> ===============
> >>>>> time->Mon Aug 18 03:21:03 2014
> >>>>> type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e syscall=21
> >>>>> success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640
> >>>>> items=0  ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> >>>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash"
> >>>>> exe="/usr/bin/bash"
> >>>>> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
> >>>>> type=AVC msg=audit(1408350063.257:7492): avc:  denied  { read }
> >>>>> for  pid=2816  comm="bash" name="virsh" dev="dm-0" ino=135911290
> >>>>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
> >>>>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
> >>>>> ===============
> >>>>> 
> >>>>> I thought about using audit2allow as you suggest.  The problem is then
> >>>>> I
> >>>>> don't  really know what change is required.  What exactly will it
> >>>>> do?  And is there a guarantee that it will work?
> >>>> 
> >>>> logwatch is executing virsh probably to communicate with libvirt to
> >>>> rotate logs or something.  You can look in /etc/logrotate.d for a
> >>>> script
> >>>> with virsh to tell you what the command is trying to do.
> >>> 
> >>> Hi Dan -
> >>> 
> >>> I know EXACTLY what virsh is being called for.  I wrote the script!  It
> >>> has
> >>> nothing to do with logrotate.  I want virsh to tell logwatch what the
> >>> status is of all virtual machines running on the host.  Logwatch will
> >>> then include that in its daily summary report.  SELinux is getting in
> >>> the
> >>> way.
> >>> 
> >>> Regards - Bill Gee
> >>> _______________________________________________
> >>> CentOS mailing list
> >>> CentOS@xxxxxxxxxx
> >>> http://lists.centos.org/mailman/listinfo/centos
> >> 
> >> Well logrotate is calling the script, and you just need to add the allow
> >> rules to allow logrotate to execute the script and communicate with
> >> libvirt.   Or you need to run the script in a separate cron job to
> >> collect the data before the logrotate script runs.
> >> 
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS@xxxxxxxxxx
> >> http://lists.centos.org/mailman/listinfo/centos
> > 
> > Hi Dan -
> > 
> > Oops, I screwed up the subject line on the last posting.  Hopefully
> > corrected with this message.
> > 
> > Comment - I changed my configuration so that virsh is run by a script in
> > cron.daily rather than being called from logwatch.  It saves output to a
> > file in /tmp.  Logwatch was changed to simply "cat" the file.  However,
> > this STILL produces an SELinux violation.  I am not any closer to the
> > goal.
> > 
> > Question - How do I add an "allow" rule to SELinux?  What exactly is to be
> > allowed and how is SELinux told to do it?
> > 
> > Here is what ausearch finds:
> > 
> > =====================
> > time->Sat Aug 23 03:06:04 2014
> > type=SYSCALL msg=audit(1408781164.014:1373): arch=c000003e syscall=2
> > success=no exit=-13 a0=7fffb24e3da6 a1=0 a2=1fffffffffff0000
> > a3=7fffb24e31d0 items=0 ppid=25741 pid=25742 auid=0 uid=0 gid=0 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=127 comm="cat"
> > exe="/usr/bin/cat"
> > subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1408781164.014:1373): avc:  denied  { open } for 
> > pid=25742 comm="cat" path="/tmp/libvirt-status" dev="dm-0" ino=768471
> > scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
> > 
> > =====================
> > 
> > Observation - My original idea on this is to have logwatch execute virsh
> > directly.  I know it is possible to make that work.  The same computer has
> > two other logwatch items that I created.  One of them runs uptime and the
> > other runs sensors.  Both work perfectly.  I see that the uptime and
> > sensors programs are set for SELinux type=bin_t, which is not the same as
> > what virsh is set for.  I think what I need to do is figure out how to
> > ADD (not replace) a new type on the virsh program.
> > 
> > Thanks - Bill Gee
> > 
> > 
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > http://lists.centos.org/mailman/listinfo/centos
> 
> Change your script to write it to /var/log/virsh.log, then everything
> should work.  I recommend that no priv process ever write to /tmp, /tmp
> is for users.
> 
> logwatch can read log files, so SELinux requires it to have a log
> label.  The default label for anything create in /var/log is var_log_t,
> which is a log label.
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos

I tried both /var/log and /var/cache/logwatch.  SELinux denies write 
permission in both.  Here is what ausearch shows:

=====================
time->Mon Aug 25 03:20:02 2014
type=SYSCALL msg=audit(1408954802.018:3920): arch=c000003e syscall=59 
success=yes exit=0 a0=1704490 a1=1703c60 a2=1704f40 a3=0 items=0 ppid=27898 
pid=27900 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=469 comm="virsh" exe="/usr/bin/virsh" 
subj=system_u:system_r:virsh_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1408954802.018:3920): avc:  denied  { write } for  
pid=27900 comm="virsh" path="/var/log/libvirt-status" dev="dm-0" ino=203140363 
scontext=system_u:system_r:virsh_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cron_log_t:s0 tclass=file

======================

It only fails when run by cron.  If I do "run-parts /etc/cron.daily" from a 
root login, then everything works as it should.

Bill Gee


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux