I can give you another tip - use 'sealert'. yum install setroubleshoot-server sealert -a /var/log/audit/audit.log It will provide you with guidance. Actually selinux hast 'allow' rules based on process type (last part after ':') with the file type. ps aux -Z ls -lZ file Sometimes you need to tell selinux that a file should have another label : semanage -a -t var_log_t somefile restorecon -v somefile SELINUX is quite benefitial for VMs/Containers because even if one of them is hacked, it will still not be able to reach another one (even if ownership is the same). Best Regards, Strahil Nikolov На 29 май 2020 г. 17:26:37 GMT+03:00, Andrei Verovski <andreil1@starlett.lv> написа:
Hi,
OK, Michael, thanks a LOT, these commands fixed problem.
cat /var/log/audit/audit.log | grep snmpd | grep sed | audit2allow -M my_module_for_snmpd semodule -i my_module_for_snmpd.pp
On 29 May 2020, at 16:31, Michaël Couren <couren@abes.fr> wrote:
Hi, you coul'd start with :
cat /var/log/audit/audit.log | grep denied | audit2why
The messages are quite clear.
After you coul'd also refine a little bit more :
cat /var/log/audit/audit.log |grep snmpd | audit2allow -M my_module_for_snmpd
Remember to renew audit.log sometimes, in order to filter errors more preciselly -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France.
----- Le 29 Mai 20, à 15:14, Andrei Verovski andreil1@starlett.lv a écrit :
Hi,
SELinux is quite cumbersome for someone which not used it before.
stat /var/log/anvraidcheck.log # File: ‘/var/log/anvraidcheck.log’ # Size: 75 Blocks: 8 IO Block: 4096 regular file # Device: fd08h/64776d Inode: 138 Links: 1 # Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root) # Context: system_u:object_r:cron_log_t:s0
ps -eZ | grep snmpd # system_u:system_r:snmpd_t:s0 1835 ? 00:02:00 snmpd
How to enforce this policy (if its correct of course)?
allow snmpd_t cron_log_t:file { read };
On 29 May 2020, at 12:31, Alan <alan@griff.me.uk> wrote:
When running from the terminal you are unconfined, hence it runs without error.
Probably your only option is to create custom policy to allow this. Although I would question why the log file you are reading is cron_log_t and not var_log_t.
---- On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski <andreil1@starlett.lv> wrote ----
Hi !
I’m struggling with SELinux blocking SNMP script from reading log file (oVirt node manually installed on CentOS 7). Log file is readable by all (chmod ugo+r).
Scripts working fine when executed from terminal.
I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As far as I know, SELinux can’t be turned off on oVirt node.
Thanks in advance for any suggestion(s).
**********************
option in snmpd.conf
extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh
********************** script 4anvcheckraid_hp.sh
#!/bin/bash
LOGFILE='/var/log/anvraidcheck.log'
if [ ! -f $LOGFILE ]; then exit 0 fi
# Variant 1 with sed sed '/^[ \t]*$/d' $LOGFILE | while read line; do echo "$line" exit 1 done
# Variant 2 without sed while read line do if [[ "$line" =~ [^[:space:]] ]]; then echo "$line" exit 1 fi done < $LOGFILE
**********************
SELinux audit log:
type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for pid=12142 comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for pid=12141 comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0
_______________________________________________ Users mailing list -- users@ovirt.org <mailto:users@ovirt.org> To unsubscribe send an email to users-leave@ovirt.org <mailto:users-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html <https://www.ovirt.org/privacy-policy.html> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ <https://www.ovirt.org/community/about/community-guidelines/> List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GIS...
<https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/3MICJMAXCALWNS...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CFJEZICW6MXZFT...