Hi,
you coul'd start with :
cat /var/log/audit/audit.log | grep denied | audit2why
The messages are quite clear.
After you coul'd also refine a little bit more :
cat /var/log/audit/audit.log |grep snmpd | audit2allow -M my_module_for_snmpd
Remember to renew audit.log sometimes, in order to filter errors more preciselly
--
Cordialement / Best regards, Michaël Couren,
ABES, Montpellier, France.
----- Le 29 Mai 20, à 15:14, Andrei Verovski andreil1(a)starlett.lv a écrit :
> Hi,
>
> SELinux is quite cumbersome for someone which not used it before.
>
> stat /var/log/anvraidcheck.log
> # File: ‘/var/log/anvraidcheck.log’
> # Size: 75 Blocks: 8 IO Block: 4096 regular file
> # Device: fd08h/64776d Inode: 138 Links: 1
> # Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)
> # Context: system_u:object_r:cron_log_t:s0
>
> ps -eZ | grep snmpd
> # system_u:system_r:snmpd_t:s0 1835 ? 00:02:00 snmpd
>
>
> How to enforce this policy (if its correct of course)?
>
> allow snmpd_t cron_log_t:file { read };
>
>
>
>> On 29 May 2020, at 12:31, Alan <alan(a)griff.me.uk> wrote:
>>
>> When running from the terminal you are unconfined, hence it runs without error.
>>
>> Probably your only option is to create custom policy to allow this. Although I
>> would question why the log file you are reading is cron_log_t and not
>> var_log_t.
>>
>>
>> ---- On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski
<andreil1(a)starlett.lv>
>> wrote ----
>>
>> Hi !
>>
>> I’m struggling with SELinux blocking SNMP script from reading log file (oVirt
>> node manually installed on CentOS 7).
>> Log file is readable by all (chmod ugo+r).
>>
>> Scripts working fine when executed from terminal.
>>
>> I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As far
>> as I know, SELinux can’t be turned off on oVirt node.
>>
>> Thanks in advance for any suggestion(s).
>>
>>
>> **********************
>>
>> option in snmpd.conf
>>
>> extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh
>>
>>
>> **********************
>> script 4anvcheckraid_hp.sh
>>
>> #!/bin/bash
>>
>> LOGFILE='/var/log/anvraidcheck.log'
>>
>> if [ ! -f $LOGFILE ]; then
>> exit 0
>> fi
>>
>> # Variant 1 with sed
>> sed '/^[ \t]*$/d' $LOGFILE | while read line; do
>> echo "$line"
>> exit 1
>> done
>>
>> # Variant 2 without sed
>> while read line
>> do
>> if [[ "$line" =~ [^[:space:]] ]]; then
>> echo "$line"
>> exit 1
>> fi
>> done < $LOGFILE
>>
>>
>> **********************
>>
>> SELinux audit log:
>>
>> type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for pid=12142
>> comm="sed" name="anvraidcheck.log" dev="dm-8"
ino=138
>> scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0
>> tclass=file permissive=0
>>
>> type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for pid=12141
>> comm="4anvcheckraid_h" name="anvraidcheck.log"
dev="dm-8" ino=138
>> scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0
>> tclass=file permissive=0
>>
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> <mailto:users-leave@ovirt.org>
>> Privacy Statement:
https://www.ovirt.org/privacy-policy.html
>> <
https://www.ovirt.org/privacy-policy.html>
>> oVirt Code of Conduct:
>>
https://www.ovirt.org/community/about/community-guidelines/
>> <
https://www.ovirt.org/community/about/community-guidelines/>
>> List Archives:
>>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5...
>>
<
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5...
>>
>>
>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement:
https://www.ovirt.org/privacy-policy.html
> oVirt Code of Conduct:
>
https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
>
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3MICJMAXCAL...