* Audisp plugin and SELinux
@ 2016-02-24 14:40 Lev Stipakov
2016-02-24 15:02 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Lev Stipakov @ 2016-02-24 14:40 UTC (permalink / raw)
To: linux-audit
Hello,
My audisp plugin has a file-based database in /var/lib/xxx directory. I
noticed that on systems with SELinux enabled plugin cannot read/write
that file.
According to ps, plugin is run under audisp_t domain:
-bash-4.1$ ps axZ | grep plugin
unconfined_u:system_r:audisp_t:s0 1845 ? S< 0:00 /usr/sbin/plugin 1
Obviously I don't want to disable SELinux. What would be the recommended
way to allow plugin read/write file(s) under /var/run/xxx ?
-Lev
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Audisp plugin and SELinux
2016-02-24 14:40 Audisp plugin and SELinux Lev Stipakov
@ 2016-02-24 15:02 ` Steve Grubb
2016-02-24 15:53 ` Simon Sekidde
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2016-02-24 15:02 UTC (permalink / raw)
To: linux-audit
On Wednesday, February 24, 2016 04:40:13 PM Lev Stipakov wrote:
> My audisp plugin has a file-based database in /var/lib/xxx directory. I
> noticed that on systems with SELinux enabled plugin cannot read/write
> that file.
>
> According to ps, plugin is run under audisp_t domain:
>
> -bash-4.1$ ps axZ | grep plugin
> unconfined_u:system_r:audisp_t:s0 1845 ? S< 0:00 /usr/sbin/plugin 1
>
> Obviously I don't want to disable SELinux. What would be the recommended
> way to allow plugin read/write file(s) under /var/run/xxx ?
The plugin should have its own policy. I don't think audisp_t should be
broadened to allow things it shouldn't be doing. There are probably several
people on this list that can give you advice on creating a policy.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Audisp plugin and SELinux
2016-02-24 15:02 ` Steve Grubb
@ 2016-02-24 15:53 ` Simon Sekidde
0 siblings, 0 replies; 3+ messages in thread
From: Simon Sekidde @ 2016-02-24 15:53 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
----- Original Message -----
> From: "Steve Grubb" <sgrubb@redhat.com>
> To: linux-audit@redhat.com
> Sent: Wednesday, February 24, 2016 10:02:25 AM
> Subject: Re: Audisp plugin and SELinux
>
> On Wednesday, February 24, 2016 04:40:13 PM Lev Stipakov wrote:
> > My audisp plugin has a file-based database in /var/lib/xxx directory. I
> > noticed that on systems with SELinux enabled plugin cannot read/write
> > that file.
> >
> > According to ps, plugin is run under audisp_t domain:
> >
> > -bash-4.1$ ps axZ | grep plugin
> > unconfined_u:system_r:audisp_t:s0 1845 ? S< 0:00 /usr/sbin/plugin 1
> >
> > Obviously I don't want to disable SELinux. What would be the recommended
> > way to allow plugin read/write file(s) under /var/run/xxx ?
>
If you label the dir as audisp_var_run_t then this should work nicely with SELinux
# semanage fcontext -a -t audisp_var_run_t /var/run/xxx
# restorecon -Rv /var/run/xxx
> The plugin should have its own policy. I don't think audisp_t should be
> broadened to allow things it shouldn't be doing. There are probably several
> people on this list that can give you advice on creating a policy.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Simon Sekidde * Red Hat, Inc. * Westford, MA
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-02-24 15:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-24 14:40 Audisp plugin and SELinux Lev Stipakov
2016-02-24 15:02 ` Steve Grubb
2016-02-24 15:53 ` Simon Sekidde
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox