Hi,

SELinux is quite cumbersome for someone which not used it before.

stat /var/log/anvraidcheck.log 
#  File: ‘/var/log/anvraidcheck.log’
#  Size: 75              Blocks: 8          IO Block: 4096   regular file
# Device: fd08h/64776d    Inode: 138         Links: 1
# Access: (0666/-rw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
# Context: system_u:object_r:cron_log_t:s0

ps -eZ | grep snmpd
# system_u:system_r:snmpd_t:s0     1835 ?        00:02:00 snmpd


How to enforce this policy (if its correct of course)?

allow snmpd_t cron_log_t:file { read };



On 29 May 2020, at 12:31, Alan <alan@griff.me.uk> wrote:

When running from the terminal you are unconfined, hence it runs without error.

Probably your only option is to create custom policy to allow this. Although I would question why the log file you are reading is cron_log_t and not var_log_t.


---- On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski <andreil1@starlett.lv> wrote ----

Hi !

I’m struggling with SELinux blocking SNMP script from reading log file (oVirt node manually installed on CentOS 7).
Log file is readable by all (chmod ugo+r).

Scripts working fine when executed from terminal.

I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As far as I know, SELinux can’t be turned off on oVirt node.

Thanks in advance for any suggestion(s).


**********************

option in snmpd.conf

extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh


**********************
script 4anvcheckraid_hp.sh

#!/bin/bash

LOGFILE='/var/log/anvraidcheck.log'

if [ ! -f $LOGFILE ]; then
exit 0
fi

# Variant 1 with sed
sed '/^[ \t]*$/d' $LOGFILE | while read line; do
echo "$line"
exit 1
done

# Variant 2 without sed
while read line
do
if [[ "$line" =~ [^[:space:]] ]]; then
echo "$line"
exit 1
fi
done < $LOGFILE


**********************

SELinux audit log:

type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for pid=12142 comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0

type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for pid=12141 comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/