How to create an SELinux exception for individual files
I use a monitoring tool and on one of my systems that is checked remotely, it calls up a script, which in turn runs systemctl to check the status of a service. This was not working until I put SELinux in permissive mode. However I will not be able to leave this system in permissive mode. I need to use semanage for the exception and place the system back into an enforcing state. I have used semanage before for a process but never for a file. I have been looking over the man page and googling around but I can't seem to figure out the exact command I need to use. So say I need to allow a script called "run_this_script" in the /usr/lib64/application/plugin folder, what is the command I would use with semanage?
EDIT - just to give more context around what I was seeing in the audit logs, here is a snippet.
type=AVC msg=audit(1446051455.169:3313): avc: denied { execute } for pid=15388 comm="check_init_serv" name="systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3313): arch=c000003e syscall=59 success=no exit=-13 a0=2098450 a1=209ba50 a2=209c680 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty= (none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446051455.169:3314): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3314): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff780 a2=7fff573ff780 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446051455.169:3315): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3315): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff760 a2=7fff573ff760 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446053257.457:3401): avc: denied { read } for pid=15647 comm="systemctl" name="journal" dev="tmpfs" ino=11584 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir
linux rhel selinux
add a comment |
I use a monitoring tool and on one of my systems that is checked remotely, it calls up a script, which in turn runs systemctl to check the status of a service. This was not working until I put SELinux in permissive mode. However I will not be able to leave this system in permissive mode. I need to use semanage for the exception and place the system back into an enforcing state. I have used semanage before for a process but never for a file. I have been looking over the man page and googling around but I can't seem to figure out the exact command I need to use. So say I need to allow a script called "run_this_script" in the /usr/lib64/application/plugin folder, what is the command I would use with semanage?
EDIT - just to give more context around what I was seeing in the audit logs, here is a snippet.
type=AVC msg=audit(1446051455.169:3313): avc: denied { execute } for pid=15388 comm="check_init_serv" name="systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3313): arch=c000003e syscall=59 success=no exit=-13 a0=2098450 a1=209ba50 a2=209c680 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty= (none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446051455.169:3314): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3314): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff780 a2=7fff573ff780 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446051455.169:3315): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3315): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff760 a2=7fff573ff760 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446053257.457:3401): avc: denied { read } for pid=15647 comm="systemctl" name="journal" dev="tmpfs" ino=11584 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir
linux rhel selinux
add a comment |
I use a monitoring tool and on one of my systems that is checked remotely, it calls up a script, which in turn runs systemctl to check the status of a service. This was not working until I put SELinux in permissive mode. However I will not be able to leave this system in permissive mode. I need to use semanage for the exception and place the system back into an enforcing state. I have used semanage before for a process but never for a file. I have been looking over the man page and googling around but I can't seem to figure out the exact command I need to use. So say I need to allow a script called "run_this_script" in the /usr/lib64/application/plugin folder, what is the command I would use with semanage?
EDIT - just to give more context around what I was seeing in the audit logs, here is a snippet.
type=AVC msg=audit(1446051455.169:3313): avc: denied { execute } for pid=15388 comm="check_init_serv" name="systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3313): arch=c000003e syscall=59 success=no exit=-13 a0=2098450 a1=209ba50 a2=209c680 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty= (none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446051455.169:3314): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3314): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff780 a2=7fff573ff780 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446051455.169:3315): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3315): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff760 a2=7fff573ff760 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446053257.457:3401): avc: denied { read } for pid=15647 comm="systemctl" name="journal" dev="tmpfs" ino=11584 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir
linux rhel selinux
I use a monitoring tool and on one of my systems that is checked remotely, it calls up a script, which in turn runs systemctl to check the status of a service. This was not working until I put SELinux in permissive mode. However I will not be able to leave this system in permissive mode. I need to use semanage for the exception and place the system back into an enforcing state. I have used semanage before for a process but never for a file. I have been looking over the man page and googling around but I can't seem to figure out the exact command I need to use. So say I need to allow a script called "run_this_script" in the /usr/lib64/application/plugin folder, what is the command I would use with semanage?
EDIT - just to give more context around what I was seeing in the audit logs, here is a snippet.
type=AVC msg=audit(1446051455.169:3313): avc: denied { execute } for pid=15388 comm="check_init_serv" name="systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3313): arch=c000003e syscall=59 success=no exit=-13 a0=2098450 a1=209ba50 a2=209c680 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty= (none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446051455.169:3314): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3314): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff780 a2=7fff573ff780 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446051455.169:3315): avc: denied { getattr } for pid=15388 comm="check_init_serv" path="/usr/bin/systemctl" dev="dm-1" ino=2101040 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1446051455.169:3315): arch=c000003e syscall=4 success=no exit=-13 a0=2098450 a1=7fff573ff760 a2=7fff573ff760 a3=7fff573ff5b0 items=0 ppid=15386 pid=15388 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="check_init_serv" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)
type=AVC msg=audit(1446053257.457:3401): avc: denied { read } for pid=15647 comm="systemctl" name="journal" dev="tmpfs" ino=11584 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir
linux rhel selinux
linux rhel selinux
edited Oct 28 '15 at 18:37
user53029
asked Oct 28 '15 at 18:04
user53029user53029
96341845
96341845
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Didn't test, but..
find the name you need with audit2allow -a
, and then run
- Activate the policy package:
semodule -i <module_name>.pp
- verify the module loaded:
semanage module -l | grep <module_name>
- then go back to enforcing:
setenforce 1
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f239284%2fhow-to-create-an-selinux-exception-for-individual-files%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Didn't test, but..
find the name you need with audit2allow -a
, and then run
- Activate the policy package:
semodule -i <module_name>.pp
- verify the module loaded:
semanage module -l | grep <module_name>
- then go back to enforcing:
setenforce 1
add a comment |
Didn't test, but..
find the name you need with audit2allow -a
, and then run
- Activate the policy package:
semodule -i <module_name>.pp
- verify the module loaded:
semanage module -l | grep <module_name>
- then go back to enforcing:
setenforce 1
add a comment |
Didn't test, but..
find the name you need with audit2allow -a
, and then run
- Activate the policy package:
semodule -i <module_name>.pp
- verify the module loaded:
semanage module -l | grep <module_name>
- then go back to enforcing:
setenforce 1
Didn't test, but..
find the name you need with audit2allow -a
, and then run
- Activate the policy package:
semodule -i <module_name>.pp
- verify the module loaded:
semanage module -l | grep <module_name>
- then go back to enforcing:
setenforce 1
answered Sep 14 '16 at 14:54
Will ChandlerWill Chandler
164
164
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f239284%2fhow-to-create-an-selinux-exception-for-individual-files%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown