On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote:
Hi Jason,
On 12/11/2015 08:51 PM, jason wrote:
> Hi All,
>
> I am attempting to use logrotate to rotate a log file with the
> unlabeled_t context, as it turns out SELinux is not happy about
> this
> and denies logrotate access to the log file.
logrotate should run under logrotate_t SELinux context. I would
recommend you to fix all security context on your system using:
# restorecon -R -v /
After this, logrotate should run under logrotate_t SELinux content.
> What's the preferred method here to allow access? I used
> audit2allow
> and installed the .pp but but was reading some docs[0] and wanted
> to
> double check my solution.
>
> The points in the docs were that I wanted to check on were "Missing
> TE
> rules are usually caused by bugs in SELinux policy and should be
> reports.." Should I report my particular instance as a bug?
Could you attach AVC msgs using:
# ausearch -m AVC
We can analyze this msgs and figure out if it some bug in SELinux
policy
or create some local SELinux module for you.
> "Modules created with audit2allow may allow more access than
> required.
True, you should always properly read AVC msg and allow just what is
mentioned in AVC msg. Tool
audit2allow can use too generic rule as fix and this is wrong habit
for
writing policies.
> It is recommended that policy created with audit2allow be posted to
> the
> upstream SELinux list for review."
You can attach your local policy also here for checking. :)
> Thanks in advance!
>
> JT
>
>
> [0]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterpris
> e_Li
> nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-
> Enhanced_Linux-Troubleshooting-Fixing_Problems.html
> --
> selinux mailing list
> selinux(a)lists.fedoraproject.org
>
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj
>
ect.org
Regards,
Lukas.
After attempting to change the context of the log file and getting a
permission denied. It seems selinux won't let me just change the
context to anything I want :)
So here is some more information, since I want to make sure I do this
the right way.
We have an application writing logs to /${app}/logs/my.log. The current
context of the directory/files are
unconfined_u:object_r:unlabeled_t:s0.
Previously we were not rotating logs, I would like to use logrotate to
manage these logs. We are currently running centos-release-7-
1.1503.el7.centos.2.8 in targeted/enforcing mode.
The message in /var/log/audit/audit.log I am seeing is:
type=AVC msg=audit(1450064522.450:248945): avc: denied { getattr }
for pid=39492 comm="logrotate" "/app/logs/my.log"
dev="sdb1"
ino=4294971394 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
Thanks in advance!
JT