[ovirt-users] Re: Q: Fixing SELinux Permissions on oVirt node

Sun, 31 May 2020 02:39:03 -0700 

When running from the terminal you are unconfined, hence it runs without error.



Probably your only option is to create custom policy to allow this. Although I 
would question why the log file you are reading is cron_log_t and not var_log_t.



---- On Fri, 29 May 2020 09:25:41 +0100 Andrei Verovski <andre...@starlett.lv> 
wrote ----


Hi ! 
 
I’m struggling with SELinux blocking SNMP script from reading log file (oVirt 
node manually installed on CentOS 7). 
Log file is readable by all (chmod ugo+r). 
 
Scripts working fine when executed from terminal. 
 
I did not dig deep into CentOS internals, I’m mostly use Debian and SuSE. As 
far as I know, SELinux can’t be turned off on oVirt node. 
 
Thanks in advance for any suggestion(s). 
 
 
********************** 
 
option in snmpd.conf 
 
extend .1.3.6.1.4.1.2021.7890.5 checkraid /opt/4anvcheckraid_hp.sh 
 
 
********************** 
script 4anvcheckraid_hp.sh 
 
#!/bin/bash 
 
LOGFILE='/var/log/anvraidcheck.log' 
 
if [ ! -f $LOGFILE ]; then 
 exit 0 
fi 
 
# Variant 1 with sed 
sed '/^[ \t]*$/d' $LOGFILE | while read line; do 
 echo "$line" 
 exit 1 
done 
 
# Variant 2 without sed 
while read line 
do 
 if [[ "$line" =~ [^[:space:]] ]]; then 
 echo "$line" 
 exit 1 
 fi 
done < $LOGFILE 
 
 
********************** 
 
SELinux audit log: 
 
type=AVC msg=audit(1590673970.198:469304): avc:  denied  { read } for  
pid=12142 comm="sed" name="anvraidcheck.log" dev="dm-8" ino=138 
scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 
tclass=file permissive=0 
 
type=AVC msg=audit(1590673970.197:469303): avc:  denied  { read } for  
pid=12141 comm="4anvcheckraid_h" name="anvraidcheck.log" dev="dm-8" ino=138 
scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:cron_log_t:s0 
tclass=file permissive=0 
 
_______________________________________________
Users mailing list -- mailto:users@ovirt.org
To unsubscribe send an email to mailto:users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MYWS2S57UP5GISJ7APXVJO6NVCVEFM22/
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/56F7E3LMR7I3RIH44TFUWHF33ZK5H3T2/

Reply via email to