Hi, you coul'd start with : cat /var/log/audit/audit.log | grep denied | audit2why
The messages are quite clear. After you coul'd also refine a little bit more : cat /var/log/audit/audit.log |grep snmpd | audit2allow -M my_module_for_snmpd Remember to renew audit.log sometimes, in order to filter errors more preciselly -- Cordialement / Best regards, Michaël Couren, ABES, Montpellier, France. ----- Le 29 Mai 20, à 15:14, Andrei Verovski [email protected] a écrit : > Hi, > > SELinux is quite cumbersome for someone which not used it before. > > stat /var/log/anvraidcheck.log > # File: ‘/var/log/anvraidcheck.log’ > # Size: 75 Blocks: 8 IO Block: 4096 regular file > # Device: fd08h/64776d Inode: 138 Links: 1 > # Access: (0666/-rw-rw-rw-) Uid: ( 0/ root) Gid: ( 0/ root) > # Context: system_u:object_r:cron_log_t:s0 > > ps -eZ | grep snmpd > # system_u:system_r:snmpd_t:s0 1835 ? 00:02:00 snmpd > > > How to enforce this policy (if its correct of course)? > > allow snmpd_t cron_log_t:file { read }; > > > >> On 29 May 2020, at 12:31, Alan <[email protected]> wrote: >> >> When running from the terminal you are unconfined, hence it runs without >> error. >> >> Probably your only option is to create custom policy to allow this. Although >> I >> would question why the log file you are reading is cron_log_t and not >> var_log_t. >> >> >> ---- On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski >> <[email protected]> >> wrote ---- >> >> Hi ! >> >> I’m struggling with SELinux blocking SNMP script from reading log file (oVirt >> node manually installed on CentOS 7). >> Log file is readable by all (chmod ugo+r). >> >> Scripts working fine when executed from terminal. >> >> I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As >> far >> as I know, SELinux can’t be turned off on oVirt node. >> >> Thanks in advance for any suggestion(s). >> >> >> ********************** >> >> option in snmpd.conf >> >> extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh >> >> >> ********************** >> script 4anvcheckraid_hp.sh >> >> #!/bin/bash >> >> LOGFILE='/var/log/anvraidcheck.log' >> >> if [ ! -f $LOGFILE ]; then >> exit 0 >> fi >> >> # Variant 1 with sed >> sed '/^[ \t]*$/d' $LOGFILE | while read line; do >> echo "$line" >> exit 1 >> done >> >> # Variant 2 without sed >> while read line >> do >> if [[ "$line" =~ [^[:space:]] ]]; then >> echo "$line" >> exit 1 >> fi >> done < $LOGFILE >> >> >> ********************** >> >> SELinux audit log: >> >> type=AVC msg=audit(1590673970.198:469304): avc: denied { read } for pid=12142 >> comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138 >> scontext=system_u:system_r:snmpd_t:s0 >> tcontext=system_u:object_r:cron_log_t:s0 >> tclass=file permissive=0 >> >> type=AVC msg=audit(1590673970.197:469303): avc: denied { read } for pid=12141 >> comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138 >> scontext=system_u:system_r:snmpd_t:s0 >> tcontext=system_u:object_r:cron_log_t:s0 >> tclass=file permissive=0 >> >> _______________________________________________ >> Users mailing list -- [email protected] <mailto:[email protected]> >> To unsubscribe send an email to [email protected] >> <mailto:[email protected]> >> Privacy Statement: https://www.ovirt.org/privacy-policy.html >> <https://www.ovirt.org/privacy-policy.html> >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> <https://www.ovirt.org/community/about/community-guidelines/> >> List Archives: >> https://lists.ovirt.org/archives/list/[email protected]/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/ >> <https://lists.ovirt.org/archives/list/[email protected]/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/> >> >> > > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/[email protected]/message/3MICJMAXCALWNSYLWWJXQABJ4EAHW55L/ _______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/AMCHVEGJ7ATGKTIRXBSRIFKMSNZL7J22/
