SELinux is preventing logrotate from read access on the directory /var/cache/dnf.
Lawrence E Graves
lgraves95 at gmail.com
Sun Dec 21 13:59:46 UTC 2014
SELinux is preventing logrotate from read access on the directory
/var/cache/dnf.
***** Plugin restorecon (94.8 confidence) suggests ************************
If you want to fix the label.
/var/cache/dnf default label should be rpm_var_cache_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/cache/dnf
***** Plugin catchall_labels (5.21 confidence) suggests *******************
If you want to allow logrotate to have read access on the dnf directory
Then you need to change the label on /var/cache/dnf
Do
# semanage fcontext -a -t FILE_TYPE '/var/cache/dnf'
where FILE_TYPE is one of the following: NetworkManager_log_t,
NetworkManager_unit_file_t, NetworkManager_var_run_t, abrt_unit_file_t,
abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, accountsd_unit_file_t,
acct_data_t, admin_home_t, afs_logfile_t, aiccu_var_run_t, aide_log_t,
ajaxterm_var_run_t, alsa_unit_file_t, alsa_var_run_t, amanda_log_t,
amanda_unit_file_t, antivirus_log_t, antivirus_unit_file_t,
antivirus_var_run_t, apcupsd_log_t, apcupsd_unit_file_t,
apcupsd_var_run_t, apmd_log_t, apmd_unit_file_t, apmd_var_run_t,
arpwatch_unit_file_t, arpwatch_var_run_t, asterisk_log_t,
asterisk_var_run_t, audisp_var_run_t, auditd_unit_file_t,
auditd_var_run_t, auth_cache_t, automount_unit_file_t,
automount_var_run_t, avahi_unit_file_t, avahi_var_run_t, bacula_log_t,
bacula_var_run_t, bcfg2_unit_file_t, bcfg2_var_run_t, bin_t,
bitlbee_log_t, bitlbee_var_run_t, blktap_var_run_t, blueman_var_run_t,
bluetooth_unit_file_t, bluetooth_var_run_t, boinc_log_t,
boinc_unit_file_t, boot_t, bootloader_var_run_t, brltty_unit_file_t,
brltty_var_run_t, bumblebee_unit_file_t, bumblebee_var_run_t,
cachefilesd_var_run_t, calamaris_log_t, callweaver_log_t,
callweaver_var_run_t, canna_log_t, canna_var_run_t, cardmgr_var_run_t,
ccs_var_lib_t, ccs_var_log_t, ccs_var_run_t, cert_t,
certmaster_var_log_t, certmaster_var_run_t, certmonger_var_run_t,
cfengine_log_t, cgred_log_t, cgred_var_run_t, cgroup_t, checkpc_log_t,
chronyd_unit_file_t, chronyd_var_log_t, chronyd_var_run_t,
cinder_api_unit_file_t, cinder_backup_unit_file_t, cinder_log_t,
cinder_scheduler_unit_file_t, cinder_var_run_t,
cinder_volume_unit_file_t, clogd_var_run_t, cloud_init_unit_file_t,
cloud_log_t, cluster_unit_file_t, cluster_var_log_t, cluster_var_run_t,
clvmd_var_run_t, cmirrord_var_run_t, cobbler_var_log_t,
cockpit_unit_file_t, collectd_unit_file_t, collectd_var_run_t,
colord_unit_file_t, comsat_var_run_t, condor_log_t, condor_unit_file_t,
condor_var_run_t, conman_log_t, conman_unit_file_t, conman_var_run_t,
consolekit_log_t, consolekit_unit_file_t, consolekit_var_run_t,
couchdb_log_t, couchdb_unit_file_t, couchdb_var_run_t,
courier_var_run_t, cpuplug_var_run_t, cpuspeed_var_run_t, cron_log_t,
cron_var_run_t, crond_unit_file_t, crond_var_run_t, ctdbd_log_t,
ctdbd_var_run_t, cupsd_config_var_run_t, cupsd_log_t,
cupsd_lpd_var_run_t, cupsd_unit_file_t, cupsd_var_run_t, cvs_var_run_t,
cyphesis_log_t, cyphesis_var_run_t, cyrus_var_run_t, dbskkd_var_run_t,
dbusd_etc_t, dcc_var_run_t, dccd_var_run_t, dccifd_var_run_t,
dccm_var_run_t, dcerpcd_var_run_t, ddclient_log_t, ddclient_var_run_t,
deltacloudd_log_t, deltacloudd_var_run_t, denyhosts_var_log_t, device_t,
devicekit_var_log_t, devicekit_var_run_t, dhcpc_var_run_t,
dhcpd_unit_file_t, dhcpd_var_run_t, dictd_var_run_t,
dirsrv_snmp_var_log_t, dirsrv_snmp_var_run_t, dirsrv_var_log_t,
dirsrv_var_run_t, dkim_milter_data_t, dlm_controld_var_log_t,
dlm_controld_var_run_t, dnsmasq_unit_file_t, dnsmasq_var_log_t,
dnsmasq_var_run_t, dnssec_trigger_var_run_t, docker_log_t,
docker_unit_file_t, docker_var_run_t, dovecot_var_log_t,
dovecot_var_run_t, dspam_log_t, dspam_var_run_t, entropyd_var_run_t,
etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_log_t,
evtchnd_var_run_t, exim_log_t, exim_var_run_t, fail2ban_log_t,
fail2ban_var_run_t, faillog_t, fcoemon_var_run_t, fenced_var_log_t,
fenced_var_run_t, fetchmail_log_t, fetchmail_var_run_t, file_context_t,
fingerd_log_t, fingerd_var_run_t, firewalld_unit_file_t,
firewalld_var_log_t, firewalld_var_run_t, foghorn_var_log_t,
foghorn_var_run_t, fonts_cache_t, fonts_t,
freeipmi_bmc_watchdog_unit_file_t, freeipmi_bmc_watchdog_var_run_t,
freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmidetectd_var_run_t,
freeipmi_ipmiseld_unit_file_t, freeipmi_ipmiseld_var_run_t, fsadm_log_t,
fsadm_var_run_t, fsdaemon_var_run_t, ftpd_unit_file_t, ftpd_var_run_t,
games_srv_var_run_t, gdomap_var_run_t, gear_log_t, gear_unit_file_t,
gear_var_run_t, getty_log_t, getty_unit_file_t, getty_var_run_t,
gfs_controld_var_log_t, gfs_controld_var_run_t, glance_api_unit_file_t,
glance_log_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t,
glance_var_run_t, glusterd_log_t, glusterd_var_run_t, gpm_var_run_t,
gpsd_var_run_t, greylist_milter_data_t, groupd_var_log_t,
groupd_var_run_t, gssproxy_unit_file_t, gssproxy_var_run_t,
haproxy_unit_file_t, haproxy_var_log_t, haproxy_var_run_t,
httpd_config_t, httpd_log_t, httpd_sys_rw_content_t, httpd_unit_file_t,
httpd_var_run_t, hwdata_t, hypervkvp_unit_file_t,
hypervvssd_unit_file_t, icecast_log_t, icecast_var_run_t,
ifconfig_var_run_t, inetd_child_var_run_t, inetd_log_t, inetd_var_run_t,
init_var_run_t, initrc_var_log_t, initrc_var_run_t, innd_log_t,
innd_var_run_t, insmod_var_run_t, iodined_unit_file_t,
ipa_otpd_unit_file_t, ipsec_log_t, ipsec_mgmt_unit_file_t,
ipsec_mgmt_var_run_t, ipsec_var_run_t, iptables_unit_file_t,
iptables_var_run_t, irqbalance_var_run_t, iscsi_log_t,
iscsi_unit_file_t, iscsi_var_run_t, isnsd_var_run_t, iwhd_log_t,
iwhd_var_run_t, jetty_log_t, jetty_var_run_t, jockey_var_log_t,
kadmind_log_t, kadmind_var_run_t, kdump_unit_file_t,
keepalived_unit_file_t, keepalived_var_run_t, keystone_log_t,
keystone_unit_file_t, keystone_var_run_t, kismet_log_t,
kismet_var_run_t, klogd_var_run_t, kmscon_unit_file_t, krb5kdc_log_t,
krb5kdc_var_run_t, ksmtuned_log_t, ksmtuned_unit_file_t,
ksmtuned_var_run_t, ktalkd_log_t, ktalkd_unit_file_t, l2tpd_var_run_t,
lastlog_t, lib_t, lircd_var_run_t, lldpad_var_run_t, locale_t,
locate_var_run_t, logrotate_tmp_t, logrotate_var_lib_t,
logwatch_var_run_t, lpd_var_run_t, lsassd_var_run_t, lsmd_unit_file_t,
lsmd_var_run_t, lvm_unit_file_t, lvm_var_run_t, lwiod_var_run_t,
lwregd_var_run_t, lwsmd_var_run_t, mailman_log_t, mailman_var_run_t,
man_cache_t, man_t, mcelog_log_t, mcelog_var_run_t, mdadm_unit_file_t,
mdadm_var_run_t, memcached_var_run_t, minidlna_log_t,
minidlna_var_run_t, minissdpd_var_run_t, mip6d_unit_file_t,
mirrormanager_log_t, mirrormanager_var_run_t, mock_var_run_t,
modemmanager_unit_file_t, mon_statd_var_run_t, mongod_log_t,
mongod_var_run_t, motion_log_t, motion_unit_file_t, motion_var_run_t,
mount_var_run_t, mpd_log_t, mpd_var_run_t, mrtg_log_t, mrtg_var_run_t,
mscan_var_run_t, munin_etc_t, munin_log_t, munin_var_run_t,
mysqld_etc_t, mysqld_log_t, mysqld_unit_file_t, mysqld_var_run_t,
mysqlmanagerd_var_run_t, mythtv_var_log_t, naemon_log_t,
naemon_var_run_t, nagios_log_t, nagios_var_run_t, named_cache_t,
named_log_t, named_unit_file_t, named_var_run_t, net_conf_t,
netlabel_mgmt_unit_file_t, netlogond_var_run_t, neutron_log_t,
neutron_unit_file_t, neutron_var_run_t, nfsd_unit_file_t, ninfod_run_t,
ninfod_unit_file_t, nis_unit_file_t, nmbd_var_run_t,
nova_ajax_unit_file_t, nova_api_unit_file_t, nova_cert_unit_file_t,
nova_compute_unit_file_t, nova_conductor_unit_file_t,
nova_console_unit_file_t, nova_direct_unit_file_t, nova_log_t,
nova_network_unit_file_t, nova_objectstore_unit_file_t,
nova_scheduler_unit_file_t, nova_var_run_t, nova_vncproxy_unit_file_t,
nova_volume_unit_file_t, nrpe_var_run_t, nscd_log_t, nscd_unit_file_t,
nscd_var_run_t, nsd_var_run_t, nslcd_var_run_t, ntop_var_run_t,
ntpd_log_t, ntpd_unit_file_t, ntpd_var_run_t, numad_unit_file_t,
numad_var_log_t, numad_var_run_t, nut_unit_file_t, nut_var_run_t,
nx_server_var_run_t, oddjob_unit_file_t, oddjob_var_run_t,
openct_var_run_t, openhpid_var_run_t, openshift_log_t,
openshift_var_lib_t, openshift_var_run_t, opensm_log_t,
opensm_unit_file_t, openvpn_status_t, openvpn_var_log_t,
openvpn_var_run_t, openvswitch_log_t, openvswitch_unit_file_t,
openvswitch_var_run_t, openwsman_log_t, openwsman_run_t,
openwsman_unit_file_t, osad_log_t, osad_var_run_t, pads_var_run_t,
pam_var_console_t, pam_var_run_t, passenger_log_t, passenger_var_run_t,
pcp_log_t, pcp_var_run_t, pcscd_var_run_t,
pegasus_openlmi_storage_var_run_t, pegasus_var_run_t,
pesign_unit_file_t, pesign_var_run_t, phc2sys_unit_file_t,
piranha_fos_var_run_t, piranha_log_t, piranha_lvs_var_run_t,
piranha_pulse_var_run_t, piranha_web_var_run_t, pkcs_slotd_var_run_t,
pki_ra_log_t, pki_ra_var_run_t, pki_tomcat_log_t,
pki_tomcat_unit_file_t, pki_tomcat_var_run_t, pki_tps_log_t,
pki_tps_var_run_t, plymouthd_var_log_t, plymouthd_var_run_t,
policykit_var_run_t, polipo_log_t, polipo_pid_t, polipo_unit_file_t,
portmap_var_run_t, portreserve_var_run_t, postfix_postdrop_t,
postfix_var_run_t, postgresql_log_t, postgresql_var_run_t,
postgrey_var_run_t, power_unit_file_t, pppd_log_t, pppd_unit_file_t,
pppd_var_run_t, pptp_log_t, pptp_var_run_t, prelink_log_t,
prelude_audisp_var_run_t, prelude_lml_var_run_t, prelude_log_t,
prelude_var_run_t, privoxy_log_t, privoxy_var_run_t, proc_t,
procmail_log_t, prosody_unit_file_t, prosody_var_run_t, psad_var_log_t,
psad_var_run_t, ptal_var_run_t, ptp4l_unit_file_t, pulseaudio_var_run_t,
puppet_log_t, puppet_var_run_t, pwauth_var_run_t, pyicqt_log_t,
pyicqt_var_run_t, qdiskd_var_log_t, qdiskd_var_run_t, qemu_var_run_t,
qpidd_var_run_t, quota_nld_var_run_t, rabbitmq_unit_file_t,
rabbitmq_var_log_t, rabbitmq_var_run_t, radiusd_log_t,
radiusd_unit_file_t, radiusd_var_run_t, radvd_var_run_t,
rasdaemon_unit_file_t, rdisc_unit_file_t, readahead_var_run_t,
redis_log_t, redis_unit_file_t, redis_var_run_t, regex_milter_data_t,
restorecond_var_run_t, rhev_agentd_log_t, rhev_agentd_unit_file_t,
rhev_agentd_var_run_t, rhnsd_unit_file_t, rhnsd_var_run_t,
rhsmcertd_log_t, rhsmcertd_var_run_t, ricci_modcluster_var_log_t,
ricci_modcluster_var_run_t, ricci_var_log_t, ricci_var_run_t,
rlogind_var_run_t, rngd_unit_file_t, rngd_var_run_t,
rolekit_unit_file_t, root_t, roundup_var_run_t, rpcbind_var_run_t,
rpcd_unit_file_t, rpcd_var_run_t, rpm_log_t, rpm_var_cache_t,
rpm_var_run_t, rsync_log_t, rsync_var_run_t, rtas_errd_log_t,
rtas_errd_unit_file_t, rtas_errd_var_run_t, samba_etc_t, samba_log_t,
samba_unit_file_t, sanlock_log_t, sanlock_unit_file_t,
sanlock_var_run_t, saslauthd_var_run_t, sblim_var_run_t,
screen_var_run_t, sectool_var_log_t, security_t, sendmail_log_t,
sendmail_var_run_t, sensord_log_t, sensord_unit_file_t,
sensord_var_run_t, setrans_var_run_t, setroubleshoot_var_log_t,
setroubleshoot_var_run_t, shell_exec_t, shorewall_log_t, slapd_log_t,
slapd_unit_file_t, slapd_var_run_t, slpd_log_t, slpd_var_run_t,
smbd_var_run_t, smokeping_var_run_t, smsd_log_t, smsd_var_run_t,
snapperd_log_t, snmpd_log_t, snmpd_var_run_t, snort_log_t,
snort_var_run_t, sosreport_var_run_t, soundd_var_run_t,
spamass_milter_data_t, spamd_log_t, spamd_var_run_t,
speech-dispatcher_log_t, speech-dispatcher_unit_file_t, squid_log_t,
squid_var_run_t, src_t, srvsvcd_var_run_t, sshd_keygen_unit_file_t,
sshd_unit_file_t, sshd_var_run_t, sssd_public_t, sssd_unit_file_t,
sssd_var_log_t, sssd_var_run_t, stapserver_log_t, stapserver_var_run_t,
stunnel_var_run_t, svnserve_unit_file_t, svnserve_var_run_t,
swat_var_run_t, swift_unit_file_t, swift_var_run_t, sysfs_t,
syslogd_var_run_t, sysstat_log_t, system_conf_t,
system_cronjob_var_run_t, system_db_t, system_dbusd_var_run_t,
systemd_logind_inhibit_var_run_t, systemd_logind_sessions_t,
systemd_logind_var_run_t, systemd_networkd_unit_file_t,
systemd_networkd_var_run_t, systemd_passwd_var_run_t,
systemd_runtime_unit_file_t, systemd_unit_file_t,
systemd_vconsole_unit_file_t, telnetd_var_run_t, textrel_shlib_t,
tftpd_var_run_t, tgtd_var_run_t, thin_aeolus_configserver_log_t,
thin_aeolus_configserver_var_run_t, thin_log_t, thin_var_run_t,
timemaster_unit_file_t, timemaster_var_run_t, tmp_t, tomcat_log_t,
tomcat_unit_file_t, tomcat_var_run_t, tor_unit_file_t, tor_var_log_t,
tor_var_run_t, tuned_log_t, tuned_var_run_t, udev_var_run_t,
ulogd_var_log_t, uml_switch_var_run_t, usbmuxd_unit_file_t,
usbmuxd_var_run_t, user_home_dir_t, useradd_var_run_t, usr_t,
uucpd_log_t, uucpd_var_run_t, uuidd_var_run_t, var_lib_t, var_lock_t,
var_log_t, var_run_t, var_spool_t, varnishd_var_run_t, varnishlog_log_t,
varnishlog_var_run_t, vdagent_log_t, vdagent_var_run_t,
vhostmd_var_run_t, virt_cache_t, virt_log_t, virt_lxc_var_run_t,
virt_qemu_ga_log_t, virt_qemu_ga_var_run_t, virt_var_run_t,
virtd_unit_file_t, vmtools_unit_file_t, vmware_host_pid_t, vmware_log_t,
vmware_pid_t, vnstatd_var_run_t, vpnc_var_run_t, watchdog_log_t,
watchdog_var_run_t, wdmd_var_run_t, winbind_log_t, winbind_var_run_t,
wtmp_t, xdm_log_t, xdm_var_run_t, xenconsoled_var_run_t, xend_var_log_t,
xend_var_run_t, xenstored_var_log_t, xenstored_var_run_t, xferlog_t,
xserver_log_t, xserver_var_run_t, ypbind_unit_file_t, ypbind_var_run_t,
yppasswdd_var_run_t, ypserv_var_run_t, ypxfr_var_run_t, zabbix_log_t,
zabbix_var_run_t, zarafa_deliver_log_t, zarafa_deliver_var_run_t,
zarafa_gateway_log_t, zarafa_gateway_var_run_t, zarafa_ical_log_t,
zarafa_ical_var_run_t, zarafa_indexer_log_t, zarafa_indexer_var_run_t,
zarafa_monitor_log_t, zarafa_monitor_var_run_t, zarafa_server_log_t,
zarafa_server_var_run_t, zarafa_spooler_log_t, zarafa_spooler_var_run_t,
zebra_log_t, zebra_unit_file_t, zebra_var_run_t, zoneminder_log_t,
zoneminder_unit_file_t, zoneminder_var_run_t.
Then execute:
restorecon -v '/var/cache/dnf'
***** Plugin catchall (1.44 confidence) suggests **************************
If you believe that logrotate should be allowed read access on the dnf
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:var_t:s0
Target Objects /var/cache/dnf [ dir ]
Source logrotate
Source Path logrotate
Port <Unknown>
Host Jehovah.local
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name Jehovah.local
Platform Linux Jehovah.local 3.17.6-300.fc21.x86_64 #1 SMP
Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64
Alert Count 4
First Seen 2014-12-18 06:08:01 MST
Last Seen 2014-12-21 05:37:01 MST
Local ID 473bcbf8-1305-4711-823e-5f9ae4b46070
Raw Audit Messages
type=AVC msg=audit(1419165421.976:453): avc: denied { read } for
pid=6494 comm="logrotate" name="dnf" dev="sda3" ino=142352
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0
Hash: logrotate,logrotate_t,var_t,dir,read
--
All things are workable but don't all things work.
Prov. 3:5 & 6
More information about the test
mailing list