Re: No audit lines produced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 05/15/2012 12:09 PM, Dominick Grift wrote:
Run semodule -DB to build a policy database without the dontaudit rules.
Run semodule -B to build a policy database (with the dontaudit rules
included)

On Tue, 2012-05-15 at 11:37 +0100, Jonathan Gazeley wrote:
I'm trying to debug a Nagios plugin that isn't playing nicely with
SELinux. It executes a system binary to get statistics about DHCP pool
usage, and obviously SELinux stamps on that access and the plugin only
returns partial data.

In Permissive mode the plugin works, it Enforcing it doesn't. But in
neither mode are there any debug messages in audit.log

[jg4461@dhcp1 ~]$ sudo setenforce 0
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full | MAYHEM! rnw-652=45.491%;80;90,
rnw-653=47.619%;80;90, rnw-654=51.570%;80;90, rnw-655=45.998%;80;90,
rnw-656=49.949%;80;90, rnw-657=48.126%;80;90, rnw-658=45.390%;80;90,
rnw-659=0.101%;80;90, rnw-ratelimited-660=0.811%;80;90,
rnw-onlinepayment-661=0.507%;80;90, rnw-onlinepayment-662=0.304%;80;90,
rnw-onlinepayment-663=0.405%;80;90, rnw-consoles-665=1.317%;80;90,
rnw-message-666=0.101%;80;90, rnw-instructions-667=9.411%;80;90

[jg4461@dhcp1 ~]$ sudo setenforce 1
[jg4461@dhcp1 ~]$ /usr/lib64/nagios/plugins/check_nrpe -H localhost -c
check_dhcpd_pools
OK - all pools less than 80% full |

Regardless of the SELinux mode, the same 3 log lines are printed in
audit.log:

type=USER_CMD msg=audit(1337077807.188:273642): user pid=1593 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0 msg='cwd="/"
cmd="/usr/lib64/nagios/plugins/check_dhcpd_pools" terminal=? res=success'
type=CRED_ACQ msg=audit(1337077807.191:273643): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=?
terminal=? res=success'
type=USER_START msg=audit(1337077807.191:273644): user pid=1594 uid=0
auid=56933 ses=12137 subj=unconfined_u:system_r:nrpe_t:s0
msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=?
addr=? terminal=? res=success'


Anyone have any idea how I can see the deny messages and make a policy
from them?

Cheers,
Jonathan
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
So execute

# semodule -DB
re-test it
# ausearch -m avc -ts recent
# semodule -B


Also we will need to add labeling for the check_dhcpd_pools plugin.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux