Displaying 2 results from an estimated 2 matches for "virsh_exec_t".
2014 Aug 14
2
SELinux vs. logwatch and virsh
...un "logwatch"
from a root console.
I set SELinux to permissive and that allows virsh to run. Therefore I know it is
something to do with SELinux.
The logwatch script is:
#Lots of comments
/usr/bin/virsh list --all
I see the selinux security context of virsh is
system_u:object_r:virsh_exec_t:s0
while logwatch.pl runs as
system_u:object_r:logwatch_exec_t:s0
As I understand it, selinux does not permit having multiple type settings for a file. Any
file can have exactly one type setting.
I ran this command hoping it would add another type to the virsh program.
semanage fcontext...
2014 Aug 21
1
CentOS Digest, Vol 115, Issue 21
...c0.c1023 key=(null)
> > type=AVC msg=audit(1408350063.257:7492): avc: denied { read }
> > for pid=2816 comm="bash" name="virsh" dev="dm-0" ino=135911290
> > scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:virsh_exec_t:s0 tclass=file
> > ===============
> >
> > I thought about using audit2allow as you suggest. The problem is then I
> > don't really know what change is required. What exactly will it
> > do? And is there a guarantee that it will work?
>
> logwatch is ex...