Hi,
SELinux is quite cumbersome for someone which not used it before.
stat /var/log/anvraidcheck.log
# File: ‘/var/log/anvraidcheck.log’
# Size: 75 Blocks: 8 IO Block: 4096 regular file
# Device: fd08h/64776d Inode: 138 Links: 1
# Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root)
# Context: system_u:object_r:cron_log_t:s0
ps -eZ | grep snmpd
# system_u:system_r:snmpd_t:s0 1835 ? 00:02:00 snmpd
How to enforce this policy (if its correct of course)?
allow snmpd_t cron_log_t:file { read };
> On 29 May 2020, at 12:31, Alan <[email protected]> wrote:
>
> When running from the terminal you are unconfined, hence it runs without
> error.
>
> Probably your only option is to create custom policy to allow this. Although
> I would question why the log file you are reading is cron_log_t and not
> var_log_t.
>
>
> ---- On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski
> <[email protected]> wrote ----
>
> Hi !
>
> I’m struggling with SELinux blocking SNMP script from reading log file (oVirt
> node manually installed on CentOS 7).
> Log file is readable by all (chmod ugo+r).
>
> Scripts working fine when executed from terminal.
>
> I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As
> far as I know, SELinux can’t be turned off on oVirt node.
>
> Thanks in advance for any suggestion(s).
>
>
> **********************
>
> option in snmpd.conf
>
> extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh
>
>
> **********************
> script 4anvcheckraid_hp.sh
>
> #!/bin/bash
>
> LOGFILE='/var/log/anvraidcheck.log'
>
> if [ ! -f $LOGFILE ]; then
> exit 0
> fi
>
> # Variant 1 with sed
> sed '/^[ \t]*$/d' $LOGFILE | while read line; do
> echo "$line"
> exit 1
> done
>
> # Variant 2 without sed
> while read line
> do
> if [[ "$line" =~ [^[:space:]] ]]; then
> echo "$line"
> exit 1
> fi
> done < $LOGFILE
>
>
> **********************
>
> SELinux audit log:
>
> type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for pid=12142
> comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138
> scontext=system_u:system_r:snmpd_t:s0
> tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0
>
> type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for pid=12141
> comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138
> scontext=system_u:system_r:snmpd_t:s0
> tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0
>
> _______________________________________________
> Users mailing list -- [email protected] <mailto:[email protected]>
> To unsubscribe send an email to [email protected]
> <mailto:[email protected]>
> Privacy Statement: https://www.ovirt.org/privacy-policy.html
> <https://www.ovirt.org/privacy-policy.html>
> oVirt Code of Conduct:
> https://www.ovirt.org/community/about/community-guidelines/
> <https://www.ovirt.org/community/about/community-guidelines/>
> List Archives:
> https://lists.ovirt.org/archives/list/[email protected]/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/
>
> <https://lists.ovirt.org/archives/list/[email protected]/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/>
>
>
_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/[email protected]/message/3MICJMAXCALWNSYLWWJXQABJ4EAHW55L/
