Hi, you coul'd start with : cat /var/log/audit/audit.log | grep denied | audit2why The messages are quite clear. After you coul'd also refine a little bit more : cat /var/log/audit/audit.log |grep snmpd | audit2allow -M my_module_for_snmpd Remember to renew audit.log sometimes, in order to filter errors more preciselly -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. ----- Le 29 Mai 20, à 15:14, Andrei Verovski andreil1@starlett.lv a écrit :
Hi,
SELinux is quite cumbersome for someone which not used it before.
stat /var/log/anvraidcheck.log # File: ‘/var/log/anvraidcheck.log’ # Size: 75 Blocks: 8 IO Block: 4096 regular file # Device: fd08h/64776d Inode: 138 Links: 1 # Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root) # Context: system_u:object_r:cron_log_t:s0
ps -eZ | grep snmpd # system_u:system_r:snmpd_t:s0 1835 ? 00:02:00 snmpd
How to enforce this policy (if its correct of course)?
allow snmpd_t cron_log_t:file { read };
On 29 May 2020, at 12:31, Alan <alan@griff.me.uk> wrote:
When running from the terminal you are unconfined, hence it runs without error.
Probably your only option is to create custom policy to allow this. Although I would question why the log file you are reading is cron_log_t and not var_log_t.
---- On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski <andreil1@starlett.lv> wrote ----
Hi !
I’m struggling with SELinux blocking SNMP script from reading log file (oVirt node manually installed on CentOS 7). Log file is readable by all (chmod ugo+r).
Scripts working fine when executed from terminal.
I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As far as I know, SELinux can’t be turned off on oVirt node.
Thanks in advance for any suggestion(s).
**********************
option in snmpd.conf
extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh
********************** script 4anvcheckraid_hp.sh
#!/bin/bash
LOGFILE='/var/log/anvraidcheck.log'
if [ ! -f $LOGFILE ]; then exit 0 fi
# Variant 1 with sed sed '/^[ \t]*$/d' $LOGFILE | while read line; do echo "$line" exit 1 done
# Variant 2 without sed while read line do if [[ "$line" =~ [^[:space:]] ]]; then echo "$line" exit 1 fi done < $LOGFILE
**********************
SELinux audit log:
type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for pid=12142 comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for pid=12141 comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0
_______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html <https://www.ovirt.org/privacy-policy.html> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ <https://www.ovirt.org/community/about/community-guidelines/> List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GIS... <https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/3MICJMAXCALWNS...