[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [hobbit] hobbit on RH 5.3 server
- To: hobbit (at) hswn.dk
- Subject: Re: [hobbit] hobbit on RH 5.3 server
- From: "Gatis A." <gatis.anee (at) gmail.com>
- Date: Wed, 8 Jul 2009 10:44:48 +0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=ZkbMK0b9YxR0+x6YNma0CyT6rsDerVc5tG9MZV/E4kk=; b=CvH8P/UOJR9BcHmh8y0s/aVUAn3fYe7BjiCK5zrGpSY3gI+5LweLtgqdRj2U788Dnp L5XezcB014nNuba8FaNNoidpH3c870Dv1M/RVgZSinolxzjsHNCILE3Z1N7zx7bIDZvm m4seQpGDY3BovbovVA+N/0imSJXbT5vpzaeLU=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=jcgnivLUv0F4CPH9Hcm9c9mDTU0wFlx0HkYK2l1YfOEk9nuM1b1wfSWYpFFejftMWx EN1J3r+d0Dqi8FyObhV/+EJ9pAE4asIWSJlIl44Hqa49dou7bySpIRfvq2miZtcU6JEQ gDFteRR98sxBbndy4SIXtxDEBEuYzY76gnhNw=
- References: <BFE8BDBA75FE9949B836E36C3FBF334F05915A11 (at) EXCH02.purdue.lcl>
Hi,
Extracting SELinux AVC messages from audit.log and processing them
through audit2allow you can create custom selinux policies.
for instance:
cat /var/log/audit/audit.log | grep 1247036829.715:51 | audit2allow -m xymon
(if auditd service is not running AVC messages will be in /var/log/messages)
Here is my custom xymon policy:
cat xymon.te
# begin #
module xymon 1.0;
require {
type ifconfig_t;
type user_home_t;
class file getattr;
class file append;
}
#============= ifconfig_t ==============
allow ifconfig_t user_home_t:file getattr;
allow ifconfig_t user_home_t:file append;
# end #
now you need to compile and load this policy:
# compile module
checkmodule -M -m -o xymon.mod xymon.te
# create policy module package
semodule_package -o xymon.pp -m xymon.mod
# install package
semodule -i xymon.pp
# display all installed modules
semodule -l
On Tue, Jul 7, 2009 at 11:11 PM, McGraw, Robert P<rmcgraw (at) purdue.edu> wrote:
> On the RH 5.3 hosts I have installed just the client side of
> hobbit.4.2.0.
>
> After a reboot I get the following in the /var/log/messages file:
>
> Jul 7 15:41:37 galileo kernel: type=1400 audit(1246995697.604:109):
> avc: denied { append } for pid=8951 comm="ifconfig"
> path="/local/hobbit/client/tmp/msg.galileo.math.purdue.edu.txt.8937"
> dev=dm-3 ino=294968 scontext=system_u:system_r:ifconfig_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=file
> Jul 7 15:41:37 galileo kernel: type=1400 audit(1246995697.604:110):
> avc: denied { append } for pid=8951 comm="ifconfig"
> path="/local/hobbit/client/logs/hobbitclient.log" dev=dm-3 ino=294969
> scontext=system_u:system_r:ifconfig_t:s0
> tcontext=user_u:object_r:default_t:s0 tclass=file
> Jul 7 15:41:37 galileo kernel: type=1400 audit(1246995697.624:111):
> avc: denied { append } for pid=8955 comm="ifconfig"
> path="/local/hobbit/client/tmp/msg.galileo.math.purdue.edu.txt.8937"
> dev=dm-3 ino=294968 scontext=system_u:system_r:ifconfig_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=file
> Jul 7 15:41:37 galileo kernel: type=1400 audit(1246995697.624:112):
> avc: denied { append } for pid=8955 comm="ifconfig"
> path="/local/hobbit/client/logs/hobbitclient.log" dev=dm-3 ino=294969
> scontext=system_u:system_r:ifconfig_t:s0
> tcontext=user_u:object_r:default_t:s0 tclass=file
>
>
> Right after a boot I get the following:
>
> [14][root (at) galileo]:hobbit/client/logs# ls -alZ
> drwxr-xr-x bb bb user_u:object_r:default_t:s0 ./
> drwxr-xr-x bb bb user_u:object_r:default_t:s0 ../
> -rw-r--r-- bb bb system_u:object_r:default_t:s0
> clientlaunch.galileo.math.purdue.edu.pid
> -rw-r--r-- bb bb user_u:object_r:default_t:s0 clientlaunch.log
> -rw-r--r-- bb bb user_u:object_r:default_t:s0 hobbitclient.log
>
>
> If I then manually run the init.d/hobbit start script then it shows:
>
> 35][root (at) galileo]:hobbit/client/logs# ls -alZ
> drwxr-xr-x bb bb user_u:object_r:default_t:s0 ./
> drwxr-xr-x bb bb user_u:object_r:default_t:s0 ../
> -rw-r--r-- bb bb user_u:object_r:default_t:s0
> clientlaunch.galileo.math.purdue.edu.pid
> -rw-r--r-- bb bb user_u:object_r:default_t:s0 clientlaunch.log
> -rw-r--r-- bb bb user_u:object_r:default_t:s0 hobbitclient.log
>
> and I do not get the error messages in /var/log.
>
> I know that this is being caused by SELinux, but not sure the best way
> to resolve this problem?
>
> Thanks
>
> Robert
>
>
>
>
>
>
> _____________________________________________________________________
> Robert P. McGraw, Jr.
> Manager, Computer System EMAIL: rmcgraw (at) purdue.edu
> Purdue University ROOM: MATH-807
> Department of Mathematics PHONE: (765) 494-6055
> 150 N. University Street
> West Lafayette, IN 47907-2067
>
>
>
> To unsubscribe from the hobbit list, send an e-mail to
> hobbit-unsubscribe (at) hswn.dk
>
>
>