Hello everyone -
I am stumped ... Does anyone have suggestions on how to proceed? Is there a
way
to get what I want?
The environment: CentOS 7.0 with latest patches.
The goal: I want logwatch to include a report on the status of kvm virtual
computers.
The problem: When run from anacron, SELinux denies permission for the virsh
utility.
Here is a portion of the logwatch output:
--------------------- KVM libvirt status report Begin ------------------------
Date Range: yesterday
/etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission
denied
---------------------- KVM libvirt status report End -------------------------
If I "run-parts /etc/cron.daily" from a root console, it all works. Same if I
run "logwatch"
from a root console.
I set SELinux to permissive and that allows virsh to run. Therefore I know it
is
something to do with SELinux.
The logwatch script is:
#Lots of comments
/usr/bin/virsh list --all
I see the selinux security context of virsh is
system_u:object_r:virsh_exec_t:s0
while logwatch.pl runs as
system_u:object_r:logwatch_exec_t:s0
As I understand it, selinux does not permit having multiple type settings for a
file. Any
file can have exactly one type setting.
I ran this command hoping it would add another type to the virsh program.
semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh
semanage fcontext --list /usr/bin/virsh | grep virsh
/usr/bin/virsh all files
system_u:object_r:logwatch_exec_t:s0
/usr/bin/virsh regular file
system_u:object_r:virsh_exec_t:s0
/usr/sbin/xl regular file
system_u:object_r:virsh_exec_t:s0
/usr/sbin/xm regular file
system_u:object_r:virsh_exec_t:s0
Semanage did add the new type, but that did not fix the problem. Virsh still
gets
"permission denied" when logwatch tries to run it.
Thanks - Bill Gee
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
