Hi everyone,
Hope you’re doing good.
I was working for a client and they complained about some errors they found on logs about AHF/OSWatcher and SELinux.
Here are the errors they found (output truncated to make reading easier):
type=AVC msg=audit(1726515744.9:642519): avc: denied { append } for pid=1443468 comm="ip" path="/u01/app/grid/oracle.ahf/data/repository/suptools/dsloracpp01/oswbb/oracle/archive/oswifconfig/dsloracpp01_ifconfig_24.09.16.15000.dat" dev="dm-12" ino=410185890 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0
type=AVC msg=audit(1726515744.9:642519): avc: denied { append } for pid=1443468 comm="ip" path="/u01/app/grid/oracle.ahf/data/repository/suptools/dsloracpp01/oswbb/oracle/run_1726252447.log" dev="dm-12" ino=13430405 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1726515744.9:642519): arch=x86_64 syscall=execve success=yes exit=0 a0=55b67c189980 a1=55b67c18ae10 a2=55b67c18bbd0 a3=1b6 items=0 ppid=1443450 pid=1443468 auid=4294967295 uid=500 gid=54321 euid=500 suid=500 fsuid=500 egid=54321 sgid=54321 fsgid=54321 tty=(none) ses=4294967295 comm="ip" exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null)
This means that SELinux is denying the access from OSWatcher on some files and also denying some commands from OSWatcher:
Files with access denied:
- u01/app/grid/oracle.ahf/data/repository/suptools/dsloracpp01/oswbb/oracle/run_1726252447.log
- /u01/app/grid/oracle.ahf/data/repository/suptools/dsloracpp01/oswbb/oracle/archive/oswifconfig/dsloracpp01_ifconfig_24.09.16.15000.dat
Command with access denied to append the logs:
- ip
Breaking it Down:
- avc: denied { append } → SELinux denied the append operation.
- comm=”ip” → The command attempting the operation is ip (used for network configuration).
- path=”/u01/app/grid/oracle.ahf/data/repository/…ifconfig_24.09.16.15000.dat”
- The ip command is trying to append to this file inside the Oracle AHF directory.
- scontext=system_u:system_r:ifconfig_t:s0
- The source security context (ifconfig_t) is assigned to the ip command.
- tcontext=system_u:object_r:default_t:s0
- The target file’s context (default_t) suggests it might not have been labeled correctly.
- tclass=file permissive=0
- Since permissive=0, SELinux is enforcing this policy and actively blocking the operation.
The client asked us to fix the issue instead of disabling SELinux.
So, from the audit.log where we have the denials, we generated a SELinux module to allow this access:
cat /var/log/audit/audit.log | grep "denied" | audit2allow -M allow_ip_oracle
This command will create two files:
- allow_ip_oracle.te: This is the policy source file.
- allow_ip_oracle.pp: This is the compiled policy package.
Below I will show the content for the policy source file:
module allow_ip_oracle 1.0;
require {
type ifconfig_t;
type su_exec_t;
type sysstat_t;
type ping_t;
type init_t;
type dmesg_t;
type default_t;
class file { append execute read write };
}
#============= dmesg_t ==============
allow dmesg_t default_t:file write;
#============= ifconfig_t ==============
allow ifconfig_t default_t:file { append read write };
#============= init_t ==============
allow init_t su_exec_t:file { execute read };
#============= ping_t ==============
allow ping_t default_t:file write;
#============= sysstat_t ==============
allow sysstat_t default_t:file write;
You can save the source file for reference or future changes. As long you have the compiled policy package, you just need to install it:
semodule -i allow_ip_oracle.pp
You can confirm if the module has been installed:
semodule -l | grep allow_ip_oracle
allow_ip_oracle
If you only have the source and would like to compile it to install it, you will need to install the package selinux-policy-devel on Linux:
So, as root, perform the install for selinux-policy-devel package (output truncated to make it easy to read:):
dnf install -y selinux-policy-devel Upgraded: selinux-policy-3.14.3-139.0.1.el8_10.1.noarch selinux-policy-targeted-3.14.3-139.0.1.el8_10.1.noarch Installed: m4-1.4.18-7.el8.aarch64 policycoreutils-devel-2.9-26.0.1.el8_10.aarch64 selinux-policy-devel-3.14.3-139.0.1.el8_10.1.noarch Complete!
Once you have the package installed on Linux, compile the module:
checkmodule -M -m -o allow_ip_oracle.mod allow_ip_oracle.te
This will compile the source (.te file) into a module file (.mod).
Then run this:
semodule_package -o allow_ip_oracle.pp -m allow_ip_oracle.mod
This will compile the module into a policy package (.pp) file, which will be used to install it as we explained before:
semodule -i allow_ip_oracle.pp
Hope it helps.
Peace!
Vinicius