Hi,
Extracting SELinux AVC messages from audit.log and processing them through audit2allow you can create custom selinux policies. for instance: cat /var/log/audit/audit.log | grep 1247036829.715:51 | audit2allow -m xymon (if auditd service is not running AVC messages will be in /var/log/messages)
Here is my custom xymon policy:
cat xymon.te
begin
module xymon 1.0;
require { type ifconfig_t; type user_home_t; class file getattr; class file append; }
#============= ifconfig_t ============== allow ifconfig_t user_home_t:file getattr; allow ifconfig_t user_home_t:file append;
end
now you need to compile and load this policy:
compile module
checkmodule -M -m -o xymon.mod xymon.te
create policy module package
semodule_package -o xymon.pp -m xymon.mod
install package
semodule -i xymon.pp
display all installed modules
semodule -l
On Tue, Jul 7, 2009 at 11:11 PM, McGraw, Robert P<rmcgraw at purdue.edu> wrote:
On the RH 5.3 hosts I have installed just the client side of hobbit.4.2.0.
After a reboot I get the following in the /var/log/messages file:
Jul 7 15:41:37 galileo kernel: type=1400 audit(1246995697.604:109): avc: denied { append } for pid=8951 comm="ifconfig" path="/local/hobbit/client/tmp/msg.galileo.math.purdue.edu.txt.8937" dev=dm-3 ino=294968 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file Jul 7 15:41:37 galileo kernel: type=1400 audit(1246995697.604:110): avc: denied { append } for pid=8951 comm="ifconfig" path="/local/hobbit/client/logs/hobbitclient.log" dev=dm-3 ino=294969 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_u:object_r:default_t:s0 tclass=file Jul 7 15:41:37 galileo kernel: type=1400 audit(1246995697.624:111): avc: denied { append } for pid=8955 comm="ifconfig" path="/local/hobbit/client/tmp/msg.galileo.math.purdue.edu.txt.8937" dev=dm-3 ino=294968 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file Jul 7 15:41:37 galileo kernel: type=1400 audit(1246995697.624:112): avc: denied { append } for pid=8955 comm="ifconfig" path="/local/hobbit/client/logs/hobbitclient.log" dev=dm-3 ino=294969 scontext=system_u:system_r:ifconfig_t:s0 tcontext=user_u:object_r:default_t:s0 tclass=file
Right after a boot I get the following:
[14][root at galileo]:hobbit/client/logs# ls -alZ drwxr-xr-x bb bb user_u:object_r:default_t:s0 ./ drwxr-xr-x bb bb user_u:object_r:default_t:s0 ../ -rw-r--r-- bb bb system_u:object_r:default_t:s0 clientlaunch.galileo.math.purdue.edu.pid -rw-r--r-- bb bb user_u:object_r:default_t:s0 clientlaunch.log -rw-r--r-- bb bb user_u:object_r:default_t:s0 hobbitclient.log
If I then manually run the init.d/hobbit start script then it shows:
35][root at galileo]:hobbit/client/logs# ls -alZ drwxr-xr-x bb bb user_u:object_r:default_t:s0 ./ drwxr-xr-x bb bb user_u:object_r:default_t:s0 ../ -rw-r--r-- bb bb user_u:object_r:default_t:s0 clientlaunch.galileo.math.purdue.edu.pid -rw-r--r-- bb bb user_u:object_r:default_t:s0 clientlaunch.log -rw-r--r-- bb bb user_u:object_r:default_t:s0 hobbitclient.log
and I do not get the error messages in /var/log.
I know that this is being caused by SELinux, but not sure the best way to resolve this problem?
Thanks
Robert
Robert P. McGraw, Jr. Manager, Computer System EMAIL: rmcgraw at purdue.edu Purdue University ROOM: MATH-807 Department of Mathematics PHONE: (765) 494-6055 150 N. University Street West Lafayette, IN 47907-2067
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk