SELinux is preventing logrotate from read access on the directory /var/cache/dnf.
Daniel J Walsh
dwalsh at redhat.com
Sun Dec 21 15:01:33 UTC 2014
restorecon -R -v /var/cache
Should fix the problem. There is a new release of selinux-policy that
hopefully will fix this label permanently.
On 12/21/2014 08:59 AM, Lawrence E Graves wrote:
> SELinux is preventing logrotate from read access on the directory
> /var/cache/dnf.
>
> ***** Plugin restorecon (94.8 confidence) suggests
> ************************
>
> If you want to fix the label.
> /var/cache/dnf default label should be rpm_var_cache_t.
> Then you can run restorecon.
> Do
> # /sbin/restorecon -v /var/cache/dnf
>
> ***** Plugin catchall_labels (5.21 confidence) suggests
> *******************
>
> If you want to allow logrotate to have read access on the dnf directory
> Then you need to change the label on /var/cache/dnf
> Do
> # semanage fcontext -a -t FILE_TYPE '/var/cache/dnf'
> where FILE_TYPE is one of the following: NetworkManager_log_t,
> NetworkManager_unit_file_t, NetworkManager_var_run_t,
> abrt_unit_file_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t,
> accountsd_unit_file_t, acct_data_t, admin_home_t, afs_logfile_t,
> aiccu_var_run_t, aide_log_t, ajaxterm_var_run_t, alsa_unit_file_t,
> alsa_var_run_t, amanda_log_t, amanda_unit_file_t, antivirus_log_t,
> antivirus_unit_file_t, antivirus_var_run_t, apcupsd_log_t,
> apcupsd_unit_file_t, apcupsd_var_run_t, apmd_log_t, apmd_unit_file_t,
> apmd_var_run_t, arpwatch_unit_file_t, arpwatch_var_run_t,
> asterisk_log_t, asterisk_var_run_t, audisp_var_run_t,
> auditd_unit_file_t, auditd_var_run_t, auth_cache_t,
> automount_unit_file_t, automount_var_run_t, avahi_unit_file_t,
> avahi_var_run_t, bacula_log_t, bacula_var_run_t, bcfg2_unit_file_t,
> bcfg2_var_run_t, bin_t, bitlbee_log_t, bitlbee_var_run_t,
> blktap_var_run_t, blueman_var_run_t, bluetooth_unit_file_t,
> bluetooth_var_run_t, boinc_log_t, boinc_unit_file_t, boot_t,
> bootloader_var_run_t, brltty_unit_file_t, brltty_var_run_t,
> bumblebee_unit_file_t, bumblebee_var_run_t, cachefilesd_var_run_t,
> calamaris_log_t, callweaver_log_t, callweaver_var_run_t, canna_log_t,
> canna_var_run_t, cardmgr_var_run_t, ccs_var_lib_t, ccs_var_log_t,
> ccs_var_run_t, cert_t, certmaster_var_log_t, certmaster_var_run_t,
> certmonger_var_run_t, cfengine_log_t, cgred_log_t, cgred_var_run_t,
> cgroup_t, checkpc_log_t, chronyd_unit_file_t, chronyd_var_log_t,
> chronyd_var_run_t, cinder_api_unit_file_t, cinder_backup_unit_file_t,
> cinder_log_t, cinder_scheduler_unit_file_t, cinder_var_run_t,
> cinder_volume_unit_file_t, clogd_var_run_t, cloud_init_unit_file_t,
> cloud_log_t, cluster_unit_file_t, cluster_var_log_t,
> cluster_var_run_t, clvmd_var_run_t, cmirrord_var_run_t,
> cobbler_var_log_t, cockpit_unit_file_t, collectd_unit_file_t,
> collectd_var_run_t, colord_unit_file_t, comsat_var_run_t,
> condor_log_t, condor_unit_file_t, condor_var_run_t, conman_log_t,
> conman_unit_file_t, conman_var_run_t, consolekit_log_t,
> consolekit_unit_file_t, consolekit_var_run_t, couchdb_log_t,
> couchdb_unit_file_t, couchdb_var_run_t, courier_var_run_t,
> cpuplug_var_run_t, cpuspeed_var_run_t, cron_log_t, cron_var_run_t,
> crond_unit_file_t, crond_var_run_t, ctdbd_log_t, ctdbd_var_run_t,
> cupsd_config_var_run_t, cupsd_log_t, cupsd_lpd_var_run_t,
> cupsd_unit_file_t, cupsd_var_run_t, cvs_var_run_t, cyphesis_log_t,
> cyphesis_var_run_t, cyrus_var_run_t, dbskkd_var_run_t, dbusd_etc_t,
> dcc_var_run_t, dccd_var_run_t, dccifd_var_run_t, dccm_var_run_t,
> dcerpcd_var_run_t, ddclient_log_t, ddclient_var_run_t,
> deltacloudd_log_t, deltacloudd_var_run_t, denyhosts_var_log_t,
> device_t, devicekit_var_log_t, devicekit_var_run_t, dhcpc_var_run_t,
> dhcpd_unit_file_t, dhcpd_var_run_t, dictd_var_run_t,
> dirsrv_snmp_var_log_t, dirsrv_snmp_var_run_t, dirsrv_var_log_t,
> dirsrv_var_run_t, dkim_milter_data_t, dlm_controld_var_log_t,
> dlm_controld_var_run_t, dnsmasq_unit_file_t, dnsmasq_var_log_t,
> dnsmasq_var_run_t, dnssec_trigger_var_run_t, docker_log_t,
> docker_unit_file_t, docker_var_run_t, dovecot_var_log_t,
> dovecot_var_run_t, dspam_log_t, dspam_var_run_t, entropyd_var_run_t,
> etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_log_t,
> evtchnd_var_run_t, exim_log_t, exim_var_run_t, fail2ban_log_t,
> fail2ban_var_run_t, faillog_t, fcoemon_var_run_t, fenced_var_log_t,
> fenced_var_run_t, fetchmail_log_t, fetchmail_var_run_t,
> file_context_t, fingerd_log_t, fingerd_var_run_t,
> firewalld_unit_file_t, firewalld_var_log_t, firewalld_var_run_t,
> foghorn_var_log_t, foghorn_var_run_t, fonts_cache_t, fonts_t,
> freeipmi_bmc_watchdog_unit_file_t, freeipmi_bmc_watchdog_var_run_t,
> freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmidetectd_var_run_t,
> freeipmi_ipmiseld_unit_file_t, freeipmi_ipmiseld_var_run_t,
> fsadm_log_t, fsadm_var_run_t, fsdaemon_var_run_t, ftpd_unit_file_t,
> ftpd_var_run_t, games_srv_var_run_t, gdomap_var_run_t, gear_log_t,
> gear_unit_file_t, gear_var_run_t, getty_log_t, getty_unit_file_t,
> getty_var_run_t, gfs_controld_var_log_t, gfs_controld_var_run_t,
> glance_api_unit_file_t, glance_log_t, glance_registry_unit_file_t,
> glance_scrubber_unit_file_t, glance_var_run_t, glusterd_log_t,
> glusterd_var_run_t, gpm_var_run_t, gpsd_var_run_t,
> greylist_milter_data_t, groupd_var_log_t, groupd_var_run_t,
> gssproxy_unit_file_t, gssproxy_var_run_t, haproxy_unit_file_t,
> haproxy_var_log_t, haproxy_var_run_t, httpd_config_t, httpd_log_t,
> httpd_sys_rw_content_t, httpd_unit_file_t, httpd_var_run_t, hwdata_t,
> hypervkvp_unit_file_t, hypervvssd_unit_file_t, icecast_log_t,
> icecast_var_run_t, ifconfig_var_run_t, inetd_child_var_run_t,
> inetd_log_t, inetd_var_run_t, init_var_run_t, initrc_var_log_t,
> initrc_var_run_t, innd_log_t, innd_var_run_t, insmod_var_run_t,
> iodined_unit_file_t, ipa_otpd_unit_file_t, ipsec_log_t,
> ipsec_mgmt_unit_file_t, ipsec_mgmt_var_run_t, ipsec_var_run_t,
> iptables_unit_file_t, iptables_var_run_t, irqbalance_var_run_t,
> iscsi_log_t, iscsi_unit_file_t, iscsi_var_run_t, isnsd_var_run_t,
> iwhd_log_t, iwhd_var_run_t, jetty_log_t, jetty_var_run_t,
> jockey_var_log_t, kadmind_log_t, kadmind_var_run_t, kdump_unit_file_t,
> keepalived_unit_file_t, keepalived_var_run_t, keystone_log_t,
> keystone_unit_file_t, keystone_var_run_t, kismet_log_t,
> kismet_var_run_t, klogd_var_run_t, kmscon_unit_file_t, krb5kdc_log_t,
> krb5kdc_var_run_t, ksmtuned_log_t, ksmtuned_unit_file_t,
> ksmtuned_var_run_t, ktalkd_log_t, ktalkd_unit_file_t, l2tpd_var_run_t,
> lastlog_t, lib_t, lircd_var_run_t, lldpad_var_run_t, locale_t,
> locate_var_run_t, logrotate_tmp_t, logrotate_var_lib_t,
> logwatch_var_run_t, lpd_var_run_t, lsassd_var_run_t, lsmd_unit_file_t,
> lsmd_var_run_t, lvm_unit_file_t, lvm_var_run_t, lwiod_var_run_t,
> lwregd_var_run_t, lwsmd_var_run_t, mailman_log_t, mailman_var_run_t,
> man_cache_t, man_t, mcelog_log_t, mcelog_var_run_t, mdadm_unit_file_t,
> mdadm_var_run_t, memcached_var_run_t, minidlna_log_t,
> minidlna_var_run_t, minissdpd_var_run_t, mip6d_unit_file_t,
> mirrormanager_log_t, mirrormanager_var_run_t, mock_var_run_t,
> modemmanager_unit_file_t, mon_statd_var_run_t, mongod_log_t,
> mongod_var_run_t, motion_log_t, motion_unit_file_t, motion_var_run_t,
> mount_var_run_t, mpd_log_t, mpd_var_run_t, mrtg_log_t, mrtg_var_run_t,
> mscan_var_run_t, munin_etc_t, munin_log_t, munin_var_run_t,
> mysqld_etc_t, mysqld_log_t, mysqld_unit_file_t, mysqld_var_run_t,
> mysqlmanagerd_var_run_t, mythtv_var_log_t, naemon_log_t,
> naemon_var_run_t, nagios_log_t, nagios_var_run_t, named_cache_t,
> named_log_t, named_unit_file_t, named_var_run_t, net_conf_t,
> netlabel_mgmt_unit_file_t, netlogond_var_run_t, neutron_log_t,
> neutron_unit_file_t, neutron_var_run_t, nfsd_unit_file_t,
> ninfod_run_t, ninfod_unit_file_t, nis_unit_file_t, nmbd_var_run_t,
> nova_ajax_unit_file_t, nova_api_unit_file_t, nova_cert_unit_file_t,
> nova_compute_unit_file_t, nova_conductor_unit_file_t,
> nova_console_unit_file_t, nova_direct_unit_file_t, nova_log_t,
> nova_network_unit_file_t, nova_objectstore_unit_file_t,
> nova_scheduler_unit_file_t, nova_var_run_t, nova_vncproxy_unit_file_t,
> nova_volume_unit_file_t, nrpe_var_run_t, nscd_log_t, nscd_unit_file_t,
> nscd_var_run_t, nsd_var_run_t, nslcd_var_run_t, ntop_var_run_t,
> ntpd_log_t, ntpd_unit_file_t, ntpd_var_run_t, numad_unit_file_t,
> numad_var_log_t, numad_var_run_t, nut_unit_file_t, nut_var_run_t,
> nx_server_var_run_t, oddjob_unit_file_t, oddjob_var_run_t,
> openct_var_run_t, openhpid_var_run_t, openshift_log_t,
> openshift_var_lib_t, openshift_var_run_t, opensm_log_t,
> opensm_unit_file_t, openvpn_status_t, openvpn_var_log_t,
> openvpn_var_run_t, openvswitch_log_t, openvswitch_unit_file_t,
> openvswitch_var_run_t, openwsman_log_t, openwsman_run_t,
> openwsman_unit_file_t, osad_log_t, osad_var_run_t, pads_var_run_t,
> pam_var_console_t, pam_var_run_t, passenger_log_t,
> passenger_var_run_t, pcp_log_t, pcp_var_run_t, pcscd_var_run_t,
> pegasus_openlmi_storage_var_run_t, pegasus_var_run_t,
> pesign_unit_file_t, pesign_var_run_t, phc2sys_unit_file_t,
> piranha_fos_var_run_t, piranha_log_t, piranha_lvs_var_run_t,
> piranha_pulse_var_run_t, piranha_web_var_run_t, pkcs_slotd_var_run_t,
> pki_ra_log_t, pki_ra_var_run_t, pki_tomcat_log_t,
> pki_tomcat_unit_file_t, pki_tomcat_var_run_t, pki_tps_log_t,
> pki_tps_var_run_t, plymouthd_var_log_t, plymouthd_var_run_t,
> policykit_var_run_t, polipo_log_t, polipo_pid_t, polipo_unit_file_t,
> portmap_var_run_t, portreserve_var_run_t, postfix_postdrop_t,
> postfix_var_run_t, postgresql_log_t, postgresql_var_run_t,
> postgrey_var_run_t, power_unit_file_t, pppd_log_t, pppd_unit_file_t,
> pppd_var_run_t, pptp_log_t, pptp_var_run_t, prelink_log_t,
> prelude_audisp_var_run_t, prelude_lml_var_run_t, prelude_log_t,
> prelude_var_run_t, privoxy_log_t, privoxy_var_run_t, proc_t,
> procmail_log_t, prosody_unit_file_t, prosody_var_run_t,
> psad_var_log_t, psad_var_run_t, ptal_var_run_t, ptp4l_unit_file_t,
> pulseaudio_var_run_t, puppet_log_t, puppet_var_run_t,
> pwauth_var_run_t, pyicqt_log_t, pyicqt_var_run_t, qdiskd_var_log_t,
> qdiskd_var_run_t, qemu_var_run_t, qpidd_var_run_t,
> quota_nld_var_run_t, rabbitmq_unit_file_t, rabbitmq_var_log_t,
> rabbitmq_var_run_t, radiusd_log_t, radiusd_unit_file_t,
> radiusd_var_run_t, radvd_var_run_t, rasdaemon_unit_file_t,
> rdisc_unit_file_t, readahead_var_run_t, redis_log_t,
> redis_unit_file_t, redis_var_run_t, regex_milter_data_t,
> restorecond_var_run_t, rhev_agentd_log_t, rhev_agentd_unit_file_t,
> rhev_agentd_var_run_t, rhnsd_unit_file_t, rhnsd_var_run_t,
> rhsmcertd_log_t, rhsmcertd_var_run_t, ricci_modcluster_var_log_t,
> ricci_modcluster_var_run_t, ricci_var_log_t, ricci_var_run_t,
> rlogind_var_run_t, rngd_unit_file_t, rngd_var_run_t,
> rolekit_unit_file_t, root_t, roundup_var_run_t, rpcbind_var_run_t,
> rpcd_unit_file_t, rpcd_var_run_t, rpm_log_t, rpm_var_cache_t,
> rpm_var_run_t, rsync_log_t, rsync_var_run_t, rtas_errd_log_t,
> rtas_errd_unit_file_t, rtas_errd_var_run_t, samba_etc_t, samba_log_t,
> samba_unit_file_t, sanlock_log_t, sanlock_unit_file_t,
> sanlock_var_run_t, saslauthd_var_run_t, sblim_var_run_t,
> screen_var_run_t, sectool_var_log_t, security_t, sendmail_log_t,
> sendmail_var_run_t, sensord_log_t, sensord_unit_file_t,
> sensord_var_run_t, setrans_var_run_t, setroubleshoot_var_log_t,
> setroubleshoot_var_run_t, shell_exec_t, shorewall_log_t, slapd_log_t,
> slapd_unit_file_t, slapd_var_run_t, slpd_log_t, slpd_var_run_t,
> smbd_var_run_t, smokeping_var_run_t, smsd_log_t, smsd_var_run_t,
> snapperd_log_t, snmpd_log_t, snmpd_var_run_t, snort_log_t,
> snort_var_run_t, sosreport_var_run_t, soundd_var_run_t,
> spamass_milter_data_t, spamd_log_t, spamd_var_run_t,
> speech-dispatcher_log_t, speech-dispatcher_unit_file_t, squid_log_t,
> squid_var_run_t, src_t, srvsvcd_var_run_t, sshd_keygen_unit_file_t,
> sshd_unit_file_t, sshd_var_run_t, sssd_public_t, sssd_unit_file_t,
> sssd_var_log_t, sssd_var_run_t, stapserver_log_t,
> stapserver_var_run_t, stunnel_var_run_t, svnserve_unit_file_t,
> svnserve_var_run_t, swat_var_run_t, swift_unit_file_t,
> swift_var_run_t, sysfs_t, syslogd_var_run_t, sysstat_log_t,
> system_conf_t, system_cronjob_var_run_t, system_db_t,
> system_dbusd_var_run_t, systemd_logind_inhibit_var_run_t,
> systemd_logind_sessions_t, systemd_logind_var_run_t,
> systemd_networkd_unit_file_t, systemd_networkd_var_run_t,
> systemd_passwd_var_run_t, systemd_runtime_unit_file_t,
> systemd_unit_file_t, systemd_vconsole_unit_file_t, telnetd_var_run_t,
> textrel_shlib_t, tftpd_var_run_t, tgtd_var_run_t,
> thin_aeolus_configserver_log_t, thin_aeolus_configserver_var_run_t,
> thin_log_t, thin_var_run_t, timemaster_unit_file_t,
> timemaster_var_run_t, tmp_t, tomcat_log_t, tomcat_unit_file_t,
> tomcat_var_run_t, tor_unit_file_t, tor_var_log_t, tor_var_run_t,
> tuned_log_t, tuned_var_run_t, udev_var_run_t, ulogd_var_log_t,
> uml_switch_var_run_t, usbmuxd_unit_file_t, usbmuxd_var_run_t,
> user_home_dir_t, useradd_var_run_t, usr_t, uucpd_log_t,
> uucpd_var_run_t, uuidd_var_run_t, var_lib_t, var_lock_t, var_log_t,
> var_run_t, var_spool_t, varnishd_var_run_t, varnishlog_log_t,
> varnishlog_var_run_t, vdagent_log_t, vdagent_var_run_t,
> vhostmd_var_run_t, virt_cache_t, virt_log_t, virt_lxc_var_run_t,
> virt_qemu_ga_log_t, virt_qemu_ga_var_run_t, virt_var_run_t,
> virtd_unit_file_t, vmtools_unit_file_t, vmware_host_pid_t,
> vmware_log_t, vmware_pid_t, vnstatd_var_run_t, vpnc_var_run_t,
> watchdog_log_t, watchdog_var_run_t, wdmd_var_run_t, winbind_log_t,
> winbind_var_run_t, wtmp_t, xdm_log_t, xdm_var_run_t,
> xenconsoled_var_run_t, xend_var_log_t, xend_var_run_t,
> xenstored_var_log_t, xenstored_var_run_t, xferlog_t, xserver_log_t,
> xserver_var_run_t, ypbind_unit_file_t, ypbind_var_run_t,
> yppasswdd_var_run_t, ypserv_var_run_t, ypxfr_var_run_t, zabbix_log_t,
> zabbix_var_run_t, zarafa_deliver_log_t, zarafa_deliver_var_run_t,
> zarafa_gateway_log_t, zarafa_gateway_var_run_t, zarafa_ical_log_t,
> zarafa_ical_var_run_t, zarafa_indexer_log_t, zarafa_indexer_var_run_t,
> zarafa_monitor_log_t, zarafa_monitor_var_run_t, zarafa_server_log_t,
> zarafa_server_var_run_t, zarafa_spooler_log_t,
> zarafa_spooler_var_run_t, zebra_log_t, zebra_unit_file_t,
> zebra_var_run_t, zoneminder_log_t, zoneminder_unit_file_t,
> zoneminder_var_run_t.
> Then execute:
> restorecon -v '/var/cache/dnf'
>
>
> ***** Plugin catchall (1.44 confidence) suggests
> **************************
>
> If you believe that logrotate should be allowed read access on the dnf
> directory by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
> Target Context unconfined_u:object_r:var_t:s0
> Target Objects /var/cache/dnf [ dir ]
> Source logrotate
> Source Path logrotate
> Port <Unknown>
> Host Jehovah.local
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-103.fc21.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name Jehovah.local
> Platform Linux Jehovah.local 3.17.6-300.fc21.x86_64 #1 SMP
> Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64
> Alert Count 4
> First Seen 2014-12-18 06:08:01 MST
> Last Seen 2014-12-21 05:37:01 MST
> Local ID 473bcbf8-1305-4711-823e-5f9ae4b46070
>
> Raw Audit Messages
> type=AVC msg=audit(1419165421.976:453): avc: denied { read } for
> pid=6494 comm="logrotate" name="dnf" dev="sda3" ino=142352
> scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0
>
>
> Hash: logrotate,logrotate_t,var_t,dir,read
>
More information about the test
mailing list