CentOS - Aug 2014 - CentOS Digest, Vol 115, Issue 21

On Thursday, August 21, 2014 12:00:03 centos-request at centos.org
wrote:
> Re: [CentOS] SELinux vs. logwatch and virsh
> From: Daniel J Walsh <dwalsh at redhat.com>
> To: CentOS mailing list <centos at centos.org>
> 
> On 08/18/2014 02:13 PM, Bill Gee wrote:
> > Hi Dan -
> > 
> > "ausearch -m avc -ts recent" produces no output.  If I run
it as "ausearch
> > -f  virsh" then it produces output similar to this.  Each
day's run of
> > logwatch produces three of these audit log entries.  The a1 and a2
values
> > are different for each entry, but everything else is the same.
> > 
> > ==============> > time->Mon Aug 18 03:21:03 2014
> > type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e syscall=21 
> > success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640
> > items=0  ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash"
exe="/usr/bin/bash"
> > subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
> > type=AVC msg=audit(1408350063.257:7492): avc:  denied  { read }
> > for  pid=2816  comm="bash" name="virsh"
dev="dm-0" ino=135911290
> > scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
> > tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
> > ==============> > 
> > I thought about using audit2allow as you suggest.  The problem is then
I
> > don't  really know what change is required.  What exactly will it
> > do?  And is there a guarantee that it will work?
> 
> logwatch is executing virsh probably to communicate with libvirt to
> rotate logs or something.  You can look in /etc/logrotate.d for a script
> with virsh to tell you what the command is trying to do.
Hi Dan -

I know EXACTLY what virsh is being called for.  I wrote the script!  It has 
nothing to do with logrotate.  I want virsh to tell logwatch what the status 
is of all virtual machines running on the host.  Logwatch will then include 
that in its daily summary report.  SELinux is getting in the way.

Regards - Bill Gee

On 08/21/2014 10:03 AM, Bill Gee wrote:
> On Thursday, August 21, 2014 12:00:03 centos-request at centos.org wrote:
>> Re: [CentOS] SELinux vs. logwatch and virsh
>> From: Daniel J Walsh <dwalsh at redhat.com>
>> To: CentOS mailing list <centos at centos.org>
>>
>> On 08/18/2014 02:13 PM, Bill Gee wrote:
>>> Hi Dan -
>>>
>>> "ausearch -m avc -ts recent" produces no output.  If I
run it as "ausearch
>>> -f  virsh" then it produces output similar to this.  Each
day's run of
>>> logwatch produces three of these audit log entries.  The a1 and a2
values
>>> are different for each entry, but everything else is the same.
>>>
>>> ==============>>> time->Mon Aug 18 03:21:03 2014
>>> type=SYSCALL msg=audit(1408350063.257:7492): arch=c000003e
syscall=21
>>> success=no exit=-13 a0=11ee230 a1=4 a2=7fff722837b0 a3=7fff72283640
>>> items=0  ppid=2815 pid=2816 auid=0 uid=0 gid=0 euid=0 suid=0
fsuid=0
>>> egid=0 sgid=0 fsgid=0 tty=(none) ses=981 comm="bash"
exe="/usr/bin/bash"
>>> subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
>>> type=AVC msg=audit(1408350063.257:7492): avc:  denied  { read }
>>> for  pid=2816  comm="bash" name="virsh"
dev="dm-0" ino=135911290
>>> scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 
>>> tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
>>> ==============>>>
>>> I thought about using audit2allow as you suggest.  The problem is
then I
>>> don't  really know what change is required.  What exactly will
it
>>> do?  And is there a guarantee that it will work?
>> logwatch is executing virsh probably to communicate with libvirt to
>> rotate logs or something.  You can look in /etc/logrotate.d for a
script
>> with virsh to tell you what the command is trying to do.
> Hi Dan -
>
> I know EXACTLY what virsh is being called for.  I wrote the script!  It has
> nothing to do with logrotate.  I want virsh to tell logwatch what the
status
> is of all virtual machines running on the host.  Logwatch will then include
> that in its daily summary report.  SELinux is getting in the way.
>
> Regards - Bill Gee
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Well logrotate is calling the script, and you just need to add the allow
rules to allow logrotate to execute the script and communicate with
libvirt.   Or you need to run the script in a separate cron job to
collect the data before the logrotate script runs.