Unable to fetch details from provider registered to cimserver in enforced mode

Support for security such as Firewalls and securing linux
Post Reply
vjpiyush
Posts: 22
Joined: 2014/09/08 05:52:28

Unable to fetch details from provider registered to cimserver in enforced mode

Post by vjpiyush » 2019/07/02 06:35:06

ENV Details :
CentOS 7.6

The provider is registered with tog-pegasus successfully, but with commands unable to fetch the required details in SELinux enforced mode.
if we changed the SELinux to Permissive mode, it worked fine and able to retrieve values. The same code is working fine in CentOS 7.5 & broken in centOS 7.6. We have this code to retrieve values from the provider in init flow.

Status of cmd "cimprovider -l -s" for all providers its "OK"

Getting following audit log error .

Enfored Mode

type=AVC msg=audit(1562045681.550:134210): avc: denied { map } for pid=34214 comm="cimprovagt" path="/dev/mem" dev="devtmpfs" ino=1027 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0

type=AVC msg=audit(1562045681.562:134211): avc: denied { getattr } for pid=34217 comm="sh" path="/usr/sbin/iscsiadm" dev="dm-0" ino=546968 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:iscsid_exec_t:s0 tclass=file permissive=0

type=AVC msg=audit(1562045681.562:134212): avc: denied { read } for pid=34214 comm="cimprovagt" name="nodes" dev="dm-7" ino=1527 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:iscsi_var_lib_t:s0 tclass=dir permissive=0

SELinux Contexts
[root@ci-9cb6549811b8 usb]# ll -Z /usr/libexec/pegasus/cimprovagt
-rwxr-xr-x. root pegasus system_u:object_r:bin_t:s0 /usr/libexec/pegasus/cimprovagt

Kindly provide the input to resolve the issue.

vjpiyush
Posts: 22
Joined: 2014/09/08 05:52:28

Re: Unable to fetch details from provider registered to cimserver in enforced mode

Post by vjpiyush » 2019/07/05 04:32:05

@TrevorH - Can you help me out on this or point out to right folks who can help me.
It's still not resolved.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Unable to fetch details from provider registered to cimserver in enforced mode

Post by hunter86_bg » 2019/07/05 14:20:20

In order to obtain the necessary logs, set SELINUX in permissive mode and them run the command.
Can you check if SELINUX is OK:

Code: Select all

rpm -V $(rpm -qa | grep -i selinux)
If needed, try to reinstall the selinux packages.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Unable to fetch details from provider registered to cimserver in enforced mode

Post by TrevorH » 2019/07/05 14:53:27

More exactly, run

service auditd rotate
rename or delete the old files from /var/log/audit.
setenforce 0
recreate the problem

Now use the wiki http://wiki.centos.org/HowTos/SELinux to generate your own policy file, read the .te version of it before you use it to see what it will do and if it looks sane.

Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fed ... ced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/se ... licy-guide | http://freecomputerbooks.com/The-SELinu ... tions.html
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply