On Mon, 2015-12-14 at 15:43 +0100, Miroslav Grepl wrote:
> On 12/14/2015 03:18 PM, jason wrote:
>> On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote:
>>> Hi Jason,
>>>
>>> On 12/11/2015 08:51 PM, jason wrote:
>>>> Hi All,
>>>>
>>>> I am attempting to use logrotate to rotate a log file with the
>>>> unlabeled_t context, as it turns out SELinux is not happy about
>>>> this
>>>> and denies logrotate access to the log file.
>>> logrotate should run under logrotate_t SELinux context. I would
>>> recommend you to fix all security context on your system using:
>>> # restorecon -R -v /
>>>
>>> After this, logrotate should run under logrotate_t SELinux
>>> content.
>>>> What's the preferred method here to allow access? I used
>>>> audit2allow
>>>> and installed the .pp but but was reading some docs[0] and
>>>> wanted
>>>> to
>>>> double check my solution.
>>>>
>>>> The points in the docs were that I wanted to check on were
>>>> "Missing
>>>> TE
>>>> rules are usually caused by bugs in SELinux policy and should
>>>> be
>>>> reports.." Should I report my particular instance as a bug?
>>> Could you attach AVC msgs using:
>>> # ausearch -m AVC
>>>
>>> We can analyze this msgs and figure out if it some bug in SELinux
>>> policy
>>> or create some local SELinux module for you.
>>>> "Modules created with audit2allow may allow more access than
>>>> required.
>>> True, you should always properly read AVC msg and allow just what
>>> is
>>> mentioned in AVC msg. Tool
>>> audit2allow can use too generic rule as fix and this is wrong
>>> habit
>>> for
>>> writing policies.
>>>> It is recommended that policy created with audit2allow be
>>>> posted to
>>>> the
>>>> upstream SELinux list for review."
>>> You can attach your local policy also here for checking. :)
>>>> Thanks in advance!
>>>>
>>>
JT
>>>>
>>>>
>>>> [0]
https://access.redhat.com/documentation/en-US/Red_Hat_Enter
>>>> pris
>>>> e_Li
>>>> nux/7/html/SELinux_Users_and_Administrators_Guide/sect-
>>>> Security-
>>>> Enhanced_Linux-Troubleshooting-Fixing_Problems.html
>>>> --
>>>> selinux mailing list
>>>> selinux(a)lists.fedoraproject.org
>>>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedora
>>>> proj
>>>>
ect.org
>>> Regards,
>>> Lukas.
>>>
>> After attempting to change the context of the log file and getting
>> a
>> permission denied. It seems selinux won't let me just change the
>> context to anything I want :)
>>
>> So here is some more information, since I want to make sure I do
>> this
>> the right way.
>>
>> We have an application writing logs to /${app}/logs/my.log. The
>> current
>> context of the directory/files are
>> unconfined_u:object_r:unlabeled_t:s0.
>>
>> Previously we were not rotating logs, I would like to use logrotate
>> to
>> manage these logs. We are currently running centos-release-7-
>> 1.1503.el7.centos.2.8 in targeted/enforcing mode.
>>
>> The message in /var/log/audit/audit.log I am seeing is:
>> type=AVC msg=audit(1450064522.450:248945): avc: denied { getattr
>> }
>> for pid=39492 comm="logrotate" "/app/logs/my.log"
dev="sdb1"
>> ino=4294971394 scontext=system_u:system_r:logrotate_t:s0-
>> s0:c0.c1023
>> tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
> Is it a mount point?
>
>> Thanks in advance!
>>
>
JT
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj
>>
ect.org
>>
>
/${app} is yes.
So use:
context="system_u:object_r:var_log_t:s0"
this as mount option. This label mount point as var_log_t.
For more info see mount man pages.