7:13 p.m.
I can give you another tip - use 'sealert'.
yum install setroubleshoot-server
sealert -a /var/log/audit/audit.log
It will provide you with guidance.
Actually selinux hast 'allow' rules based on process type (last part after
':') with the file type.
ps aux -Z
ls -lZ file
Sometimes you need to tell selinux that a file should have another label :
semanage -a -t var_log_t somefile
restorecon -v somefile
SELINUX is quite benefitial for VMs/Containers because even if one of them is hacked,
it will still not be able to reach another one (even if ownership is the same).
Best Regards,
Strahil Nikolov
На 29 май 2020 г. 17:26:37 GMT+03:00, Andrei Verovski <andreil1(a)starlett.lv>
написа:
>Hi,
>
>OK, Michael, thanks a LOT, these commands fixed problem.
>
>cat /var/log/audit/audit.log | grep snmpd | grep sed | audit2allow -M
>my_module_for_snmpd
>semodule -i my_module_for_snmpd.pp
>
>
>
>
>> On 29 May 2020, at 16:31, Michaël Couren <couren(a)abes.fr> wrote:
>>
>> Hi,
>> you coul'd start with :
>>
>> cat /var/log/audit/audit.log | grep denied | audit2why
>>
>> The messages are quite clear.
>>
>> After you coul'd also refine a little bit more :
>>
>> cat /var/log/audit/audit.log |grep snmpd | audit2allow -M
>my_module_for_snmpd
>>
>> Remember to renew audit.log sometimes, in order to filter errors more
>preciselly
>> --
>> Cordialement / Best regards, Michaël Couren,
>> ABES, Montpellier, France.
>>
>>
>>
>> ----- Le 29 Mai 20, à 15:14, Andrei Verovski andreil1(a)starlett.lv a
>écrit :
>>
>>> Hi,
>>>
>>> SELinux is quite cumbersome for someone which not used it before.
>>>
>>> stat /var/log/anvraidcheck.log
>>> # File: ‘/var/log/anvraidcheck.log’
>>> # Size: 75 Blocks: 8 IO Block: 4096 regular
>file
>>> # Device: fd08h/64776d Inode: 138 Links: 1
>>> # Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/
>root)
>>> # Context: system_u:object_r:cron_log_t:s0
>>>
>>> ps -eZ | grep snmpd
>>> # system_u:system_r:snmpd_t:s0 1835 ? 00:02:00 snmpd
>>>
>>>
>>> How to enforce this policy (if its correct of course)?
>>>
>>> allow snmpd_t cron_log_t:file { read };
>>>
>>>
>>>
>>>> On 29 May 2020, at 12:31, Alan <alan(a)griff.me.uk> wrote:
>>>>
>>>> When running from the terminal you are unconfined, hence it runs
>without error.
>>>>
>>>> Probably your only option is to create custom policy to allow this.
>Although I
>>>> would question why the log file you are reading is cron_log_t and
>not
>>>> var_log_t.
>>>>
>>>>
>>>> ---- On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski
><andreil1(a)starlett.lv>
>>>> wrote ----
>>>>
>>>> Hi !
>>>>
>>>> I’m struggling with SELinux blocking SNMP script from reading log
>file (oVirt
>>>> node manually installed on CentOS 7).
>>>> Log file is readable by all (chmod ugo+r).
>>>>
>>>> Scripts working fine when executed from terminal.
>>>>
>>>> I did not dig deep into CentOS internals, I’m mostly use Debian and
>SuSE. As far
>>>> as I know, SELinux can’t be turned off on oVirt node.
>>>>
>>>> Thanks in advance for any suggestion(s).
>>>>
>>>>
>>>> **********************
>>>>
>>>> option in snmpd.conf
>>>>
>>>> extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh
>>>>
>>>>
>>>> **********************
>>>> script 4anvcheckraid_hp.sh
>>>>
>>>> #!/bin/bash
>>>>
>>>> LOGFILE='/var/log/anvraidcheck.log'
>>>>
>>>> if [ ! -f $LOGFILE ]; then
>>>> exit 0
>>>> fi
>>>>
>>>> # Variant 1 with sed
>>>> sed '/^[ \t]*$/d' $LOGFILE | while read line; do
>>>> echo "$line"
>>>> exit 1
>>>> done
>>>>
>>>> # Variant 2 without sed
>>>> while read line
>>>> do
>>>> if [[ "$line" =~ [^[:space:]] ]]; then
>>>> echo "$line"
>>>> exit 1
>>>> fi
>>>> done < $LOGFILE
>>>>
>>>>
>>>> **********************
>>>>
>>>> SELinux audit log:
>>>>
>>>> type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for
>pid=12142
>>>> comm="sed" name="anvraidcheck.log"
dev="dm-8" ino=138
>>>> scontext=system_u:system_r:snmpd_t:s0
>tcontext=system_u:object_r:cron_log_t:s0
>>>> tclass=file permissive=0
>>>>
>>>> type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for
>pid=12141
>>>> comm="4anvcheckraid_h" name="anvraidcheck.log"
dev="dm-8" ino=138
>>>> scontext=system_u:system_r:snmpd_t:s0
>tcontext=system_u:object_r:cron_log_t:s0
>>>> tclass=file permissive=0
>>>>
>>>> _______________________________________________
>>>> Users mailing list -- users(a)ovirt.org <mailto:users@ovirt.org>
>>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>>> <mailto:users-leave@ovirt.org>
>>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>>> <https://www.ovirt.org/privacy-policy.html>
>>>> oVirt Code of Conduct:
>>>> https://www.ovirt.org/community/about/community-guidelines/
>>>> <https://www.ovirt.org/community/about/community-guidelines/>
>>>> List Archives:
>>>>
>https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/
>>>>
><https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list -- users(a)ovirt.org
>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html
>>> oVirt Code of Conduct:
>>> https://www.ovirt.org/community/about/community-guidelines/
>>> List Archives:
>>>
>https://lists.ovirt.org/archives/list/users@ovirt.org/message/3MICJMAXCALWNSYLWWJXQABJ4EAHW55L/
>_______________________________________________
>Users mailing list -- users(a)ovirt.org
>To unsubscribe send an email to users-leave(a)ovirt.org
>Privacy Statement: https://www.ovirt.org/privacy-policy.html
>oVirt Code of Conduct:
>https://www.ovirt.org/community/about/community-guidelines/
>List Archives:
>https://lists.ovirt.org/archives/list/users@ovirt.org/message/CFJEZICW6MXZFT4GEIEPCHSUHYJ5CC2I/