SELinux Vs. Logwatch And Virsh
Hello everyone –
I am stumped … Does anyone have suggestions on how to proceed? Is there a way to get what I want?
The environment: CentOS 7.0 with latest patches.
The goal: I want logwatch to include a report on the status of kvm virtual computers.
The problem: When run from anacron, SELinux denies permission for the virsh utility.
Here is a portion of the logwatch output:
——————— KVM libvirt status report Begin ———————-
4 thoughts on - SELinux Vs. Logwatch And Virsh
What AVC messages are you seeing?
ausearch -m avc -ts recent. I would put the machine in permissive mode, run your tests and then add the allow rules using
audit2allow -M mylogwatch
BTW if you think this is something we should do in general in such a way as logwatch can only look at the content in Read Only mode, then we might want it to become default.
Hi Dan –
“ausearch -m avc -ts recent” produces no output. If I run it as “ausearch -f virsh” then it produces output similar to this. Each day’s run of logwatch produces three of these audit log entries. The a1 and a2 values are different for each entry, but everything else is the same.
==============time->Mon Aug 18 03:21:03 2014
type=SYSCALL msg=audit(1408350063.257:7492): arch
logwatch is executing virsh probably to communicate with libvirt to rotate logs or something. You can look in /etc/logrotate.d for a script with virsh to tell you what the command is trying to do. Right, but I am looking for packages that drop logrotate scripts rather then just thowing in the tile and saying lograte is an unconfined domain. If a package ships a script that SELinux will break, I want to know what is the risk of a hacked logrotate executable causing havoc on a system. Potentially I
can add a boolean to policy to allow the access but deny it by default. You could try that, I think you will end up with other AVC’s concerning logratote talking to libvirt.