Hi,

SELinux is quite cumbersome for someone which not used it before.

stat /var/log/anvraidcheck.log 
#  File: ‘/var/log/anvraidcheck.log’
#  Size: 75              Blocks: 8          IO Block: 4096   regular file
# Device: fd08h/64776d    Inode: 138         Links: 1
# Access: (0666/-rw-rw-rw-)  Uid: (    0/    root)   Gid: (    0/    root)
# Context: system_u:object_r:cron_log_t:s0

ps -eZ | grep snmpd
# system_u:system_r:snmpd_t:s0     1835 ?        00:02:00 snmpd


How to enforce this policy (if its correct of course)?

allow snmpd_t cron_log_t:file { read };



> On 29 May 2020, at 12:31, Alan <[email protected]> wrote:
> 
> When running from the terminal you are unconfined, hence it runs without 
> error.
> 
> Probably your only option is to create custom policy to allow this. Although 
> I would question why the log file you are reading is cron_log_t and not 
> var_log_t.
> 
> 
> ---- On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski 
> <[email protected]> wrote ----
> 
> Hi ! 
> 
> I’m struggling with SELinux blocking SNMP script from reading log file (oVirt 
> node manually installed on CentOS 7). 
> Log file is readable by all (chmod ugo+r). 
> 
> Scripts working fine when executed from terminal. 
> 
> I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As 
> far as I know, SELinux can’t be turned off on oVirt node. 
> 
> Thanks in advance for any suggestion(s). 
> 
> 
> ********************** 
> 
> option in snmpd.conf 
> 
> extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh 
> 
> 
> ********************** 
> script 4anvcheckraid_hp.sh 
> 
> #!/bin/bash 
> 
> LOGFILE='/var/log/anvraidcheck.log' 
> 
> if [ ! -f $LOGFILE ]; then 
> exit 0 
> fi 
> 
> # Variant 1 with sed 
> sed '/^[ \t]*$/d' $LOGFILE | while read line; do 
> echo "$line" 
> exit 1 
> done 
> 
> # Variant 2 without sed 
> while read line 
> do 
> if [[ "$line" =~ [^[:space:]] ]]; then 
> echo "$line" 
> exit 1 
> fi 
> done < $LOGFILE 
> 
> 
> ********************** 
> 
> SELinux audit log: 
> 
> type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for pid=12142 
> comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138 
> scontext=system_u:system_r:snmpd_t:s0 
> tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0 
> 
> type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for pid=12141 
> comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138 
> scontext=system_u:system_r:snmpd_t:s0 
> tcontext=system_u:object_r:cron_log_t:s0 tclass=file permissive=0 
> 
> _______________________________________________
> Users mailing list -- [email protected] <mailto:[email protected]>
> To unsubscribe send an email to [email protected] 
> <mailto:[email protected]>
> Privacy Statement: https://www.ovirt.org/privacy-policy.html 
> <https://www.ovirt.org/privacy-policy.html>
> oVirt Code of Conduct: 
> https://www.ovirt.org/community/about/community-guidelines/ 
> <https://www.ovirt.org/community/about/community-guidelines/>
> List Archives: 
> https://lists.ovirt.org/archives/list/[email protected]/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/
>  
> <https://lists.ovirt.org/archives/list/[email protected]/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/>
> 
> 

_______________________________________________
Users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/[email protected]/message/3MICJMAXCALWNSYLWWJXQABJ4EAHW55L/

Reply via email to