Hello everyone - I am stumped ... Does anyone have suggestions on how to proceed? Is there a way to get what I want? The environment: CentOS 7.0 with latest patches. The goal: I want logwatch to include a report on the status of kvm virtual computers. The problem: When run from anacron, SELinux denies permission for the virsh utility. Here is a portion of the logwatch output: --------------------- KVM libvirt status report Begin ------------------------ Date Range: yesterday /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission denied ---------------------- KVM libvirt status report End ------------------------- If I "run-parts /etc/cron.daily" from a root console, it all works. Same if I run "logwatch" from a root console. I set SELinux to permissive and that allows virsh to run. Therefore I know it is something to do with SELinux. The logwatch script is: #Lots of comments /usr/bin/virsh list --all I see the selinux security context of virsh is system_u:object_r:virsh_exec_t:s0 while logwatch.pl runs as system_u:object_r:logwatch_exec_t:s0 As I understand it, selinux does not permit having multiple type settings for a file. Any file can have exactly one type setting. I ran this command hoping it would add another type to the virsh program. semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh semanage fcontext --list /usr/bin/virsh | grep virsh /usr/bin/virsh all files system_u:object_r:logwatch_exec_t:s0 /usr/bin/virsh regular file system_u:object_r:virsh_exec_t:s0 /usr/sbin/xl regular file system_u:object_r:virsh_exec_t:s0 /usr/sbin/xm regular file system_u:object_r:virsh_exec_t:s0 Semanage did add the new type, but that did not fix the problem. Virsh still gets "permission denied" when logwatch tries to run it. Thanks - Bill Gee
On 08/14/2014 11:02 AM, Bill Gee wrote:> Hello everyone - > > I am stumped ... Does anyone have suggestions on how to proceed? Is there a way > to get what I want? > > The environment: CentOS 7.0 with latest patches. > > The goal: I want logwatch to include a report on the status of kvm virtual computers. > > The problem: When run from anacron, SELinux denies permission for the virsh utility. > Here is a portion of the logwatch output: > > --------------------- KVM libvirt status report Begin ------------------------ > > Date Range: yesterday > /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission denied > > ---------------------- KVM libvirt status report End ------------------------- > > If I "run-parts /etc/cron.daily" from a root console, it all works. Same if I run "logwatch" > from a root console. > > I set SELinux to permissive and that allows virsh to run. Therefore I know it is > something to do with SELinux. > > The logwatch script is: > > #Lots of comments > /usr/bin/virsh list --all > > I see the selinux security context of virsh is > > system_u:object_r:virsh_exec_t:s0 > > while logwatch.pl runs as > > system_u:object_r:logwatch_exec_t:s0 > > As I understand it, selinux does not permit having multiple type settings for a file. Any > file can have exactly one type setting. > > I ran this command hoping it would add another type to the virsh program. > > semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh > > semanage fcontext --list /usr/bin/virsh | grep virsh > /usr/bin/virsh all files > system_u:object_r:logwatch_exec_t:s0 > /usr/bin/virsh regular file system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xl regular file system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xm regular file system_u:object_r:virsh_exec_t:s0 > > Semanage did add the new type, but that did not fix the problem. Virsh still gets > "permission denied" when logwatch tries to run it. > > Thanks - Bill Gee > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosWhat AVC messages are you seeing? ausearch -m avc -ts recent. I would put the machine in permissive mode, run your tests and then add the allow rules using audit2allow -M mylogwatch
On 08/14/2014 11:02 AM, Bill Gee wrote:> Hello everyone - > > I am stumped ... Does anyone have suggestions on how to proceed? Is there a way > to get what I want? > > The environment: CentOS 7.0 with latest patches. > > The goal: I want logwatch to include a report on the status of kvm virtual computers. > > The problem: When run from anacron, SELinux denies permission for the virsh utility. > Here is a portion of the logwatch output: > > --------------------- KVM libvirt status report Begin ------------------------ > > Date Range: yesterday > /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission denied > > ---------------------- KVM libvirt status report End ------------------------- > > If I "run-parts /etc/cron.daily" from a root console, it all works. Same if I run "logwatch" > from a root console. > > I set SELinux to permissive and that allows virsh to run. Therefore I know it is > something to do with SELinux. > > The logwatch script is: > > #Lots of comments > /usr/bin/virsh list --all > > I see the selinux security context of virsh is > > system_u:object_r:virsh_exec_t:s0 > > while logwatch.pl runs as > > system_u:object_r:logwatch_exec_t:s0 > > As I understand it, selinux does not permit having multiple type settings for a file. Any > file can have exactly one type setting. > > I ran this command hoping it would add another type to the virsh program. > > semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh > > semanage fcontext --list /usr/bin/virsh | grep virsh > /usr/bin/virsh all files > system_u:object_r:logwatch_exec_t:s0 > /usr/bin/virsh regular file system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xl regular file system_u:object_r:virsh_exec_t:s0 > /usr/sbin/xm regular file system_u:object_r:virsh_exec_t:s0 > > Semanage did add the new type, but that did not fix the problem. Virsh still gets > "permission denied" when logwatch tries to run it. > > Thanks - Bill Gee > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosBTW if you think this is something we should do in general in such a way as logwatch can only look at the content in Read Only mode, then we might want it to become default.