On SELinux enabled systems (default on CentosOS/RHEL 6.x and higher), it may deny access when system utilities are called from a daemon's context used for automation or monitoring purposes.
You will see some deny messages within /var/log/audit.log that indicate SELinux is blocking access.
So follow this procedure for simply allow things denied by SELinux policies:
1. Set concerning context to permissive (will still log whitn audit.log:
Important: If the programme is doing things that wouldn't be done at every run, like caching (e.g. yum), try to clean programme's cache before running so you catch everything it may do!
4. Search for log entries and build a policy module & package out of it, analysis beginning from date today" (and optionally a time spec):
5. Import policy package:
6. Disable permissive mode for context again:
7. Disable logging of rules defined as dontaudit:
8. Test if intended stuff works now!
When you still see some single denials within audit.log, and quickly what to complete the policy with the rules seen, you may:
1. Edit zabbix_megacli.te and add missing operations like write, lock, etc. to the allow rules - don't forget to also specify those ops within concerning class!
2. Compile module file:
For more info, see here:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
3. Import policy package:
1. Copy the policy package (<policy>.pp) to the host you want to apply policy
2. Run the following command on every machine to load the package:
You will see some deny messages within /var/log/audit.log that indicate SELinux is blocking access.
So follow this procedure for simply allow things denied by SELinux policies:
Build SELinux Policy
1. Set concerning context to permissive (will still log whitn audit.log:
semanage permissive -a zabbix_agent_t2. Allow logging even rules are set to dontaudit:
semodule -DB3. Now let the programme or script do its intended job.
Important: If the programme is doing things that wouldn't be done at every run, like caching (e.g. yum), try to clean programme's cache before running so you catch everything it may do!
4. Search for log entries and build a policy module & package out of it, analysis beginning from date today" (and optionally a time spec):
ausearch -r -m avc -ts today [HH:MM] | audit2allow -M zabbix_megacli
5. Import policy package:
semodule -i zabbix_megacli.pp
6. Disable permissive mode for context again:
semanage permissive -d zabbix_agent_t
7. Disable logging of rules defined as dontaudit:
semodule -B
8. Test if intended stuff works now!
Adjust policy
When you still see some single denials within audit.log, and quickly what to complete the policy with the rules seen, you may:
1. Edit zabbix_megacli.te and add missing operations like write, lock, etc. to the allow rules - don't forget to also specify those ops within concerning class!
2. Compile module file:
checkmodule -M -m -o zabbix_megacli.mod zabbix_megacli.te3. (Re-)create the module package from module file:
semodule_package -o zabbix_megacli.pp -m zabbix_megacli.mod
For more info, see here:
https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
3. Import policy package:
semodule -i zabbix_megacli.pp
Apply Policy to other hosts
1. Copy the policy package (<policy>.pp) to the host you want to apply policy
2. Run the following command on every machine to load the package:
semodule -i zabbix_megacli.pp
add comment
( 1621 views )
| permalink
| related link
| ( 3 / 1534 )