Hi, I run SELinux on Fedora 21. I got this alert.
What's this?
SELinux is preventing /usr/sbin/logrotate from read access on the directory /var/cache/dnf.
***** Plugin catchall (100. confidence) suggests ************************** Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path /usr/sbin/logrotate Port <Unknown> Host localhost.localdomain Source RPM Packages logrotate-3.8.7-4.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-15 07:21:01 JST Last Seen 2014-12-15 07:21:01 JST Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d
Raw Audit Messages type=AVC msg=audit(1418595661.775:465): avc: denied { read } for pid=6758 comm="logrotate" name="dnf" dev="dm-1" ino=3148310 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0 items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
[fujiwara@localhost ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
I got the same message today. It looks harmless, and it's either a bug in policy or is a good reason for dnf to store its logs some place other than /var/cache . The cron that generates this is run yearly, so it's likely that this isn't encountered that often.
[root@localhost jrm16020]# cat /etc/logrotate.d/dnf /var/log/dnf.log { missingok notifempty size 30k yearly create 0600 root root }
/var/log/dnf.rpm.log { missingok notifempty size 30k yearly create 0600 root root }
/var/log/dnf.plugin.log { missingok notifempty size 30k yearly create 0600 root root }
*/var/cache/dnf/*/*/hawkey.log {* * missingok* * notifempty* * size 30k* * yearly* * create 0600 root root* *}*
[root@localhost jrm16020]# sesearch -A -C -s logrotate_t -t rpm_var_cache_t -c dir Found 1 semantic av rules: allow logrotate_t file_type : dir { getattr search open } ;
On Sun, Dec 14, 2014 at 4:27 PM, Shintaro Fujiwara < shintaro.fujiwara@gmail.com> wrote:
Hi, I run SELinux on Fedora 21. I got this alert.
What's this?
SELinux is preventing /usr/sbin/logrotate from read access on the directory /var/cache/dnf.
***** Plugin catchall (100. confidence) suggests
Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path /usr/sbin/logrotate Port <Unknown> Host localhost.localdomain Source RPM Packages logrotate-3.8.7-4.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-15 07:21:01 JST Last Seen 2014-12-15 07:21:01 JST Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d
Raw Audit Messages type=AVC msg=audit(1418595661.775:465): avc: denied { read } for pid=6758 comm="logrotate" name="dnf" dev="dm-1" ino=3148310 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0 items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
[fujiwara@localhost ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
-- 日本にヘヴィメタル・ハードロックを根付かせるページ http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト) http://sourceforge.net/projects/webon/ https://github.com/intrajp/irforum_jp
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Hi,
Please follow this in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1163438. We know about this issue.
I'm going to fix it.
-- Best regards, Lukas Vrabec.
----- Original Message ----- From: "Jeremy Young" jrm16020@gmail.com To: "Shintaro Fujiwara" shintaro.fujiwara@gmail.com Cc: selinux@lists.fedoraproject.org Sent: Sunday, 14 December, 2014 7:22:44 PM Subject: Re: SELinux alert in Fedora 21
I got the same message today. It looks harmless, and it's either a bug in policy or is a good reason for dnf to store its logs some place other than /var/cache . The cron that generates this is run yearly, so it's likely that this isn't encountered that often.
[root@localhost jrm16020]# cat /etc/logrotate.d/dnf /var/log/dnf.log { missingok notifempty size 30k yearly create 0600 root root }
/var/log/dnf.rpm.log { missingok notifempty size 30k yearly create 0600 root root }
/var/log/dnf.plugin.log { missingok notifempty size 30k yearly create 0600 root root }
/var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root }
[root@localhost jrm16020]# sesearch -A -C -s logrotate_t -t rpm_var_cache_t -c dir Found 1 semantic av rules: allow logrotate_t file_type : dir { getattr search open } ;
On Sun, Dec 14, 2014 at 4:27 PM, Shintaro Fujiwara < shintaro.fujiwara@gmail.com > wrote:
Hi, I run SELinux on Fedora 21. I got this alert.
What's this?
SELinux is preventing /usr/sbin/logrotate from read access on the directory /var/cache/dnf.
***** Plugin catchall (100. confidence) suggests ************************** Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path /usr/sbin/logrotate Port <Unknown> Host localhost.localdomain Source RPM Packages logrotate-3.8.7-4.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-15 07:21:01 JST Last Seen 2014-12-15 07:21:01 JST Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d
Raw Audit Messages type=AVC msg=audit(1418595661.775:465): avc: denied { read } for pid=6758 comm="logrotate" name="dnf" dev="dm-1" ino=3148310 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0 items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
[fujiwara@localhost ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
Thanks, friends. I will.
2014-12-15 17:33 GMT+09:00, Lukas Vrabec lvrabec@redhat.com:
Hi,
Please follow this in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1163438. We know about this issue.
I'm going to fix it.
-- Best regards, Lukas Vrabec.
----- Original Message ----- From: "Jeremy Young" jrm16020@gmail.com To: "Shintaro Fujiwara" shintaro.fujiwara@gmail.com Cc: selinux@lists.fedoraproject.org Sent: Sunday, 14 December, 2014 7:22:44 PM Subject: Re: SELinux alert in Fedora 21
I got the same message today. It looks harmless, and it's either a bug in policy or is a good reason for dnf to store its logs some place other than /var/cache . The cron that generates this is run yearly, so it's likely that this isn't encountered that often.
[root@localhost jrm16020]# cat /etc/logrotate.d/dnf /var/log/dnf.log { missingok notifempty size 30k yearly create 0600 root root }
/var/log/dnf.rpm.log { missingok notifempty size 30k yearly create 0600 root root }
/var/log/dnf.plugin.log { missingok notifempty size 30k yearly create 0600 root root }
/var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root }
[root@localhost jrm16020]# sesearch -A -C -s logrotate_t -t rpm_var_cache_t -c dir Found 1 semantic av rules: allow logrotate_t file_type : dir { getattr search open } ;
On Sun, Dec 14, 2014 at 4:27 PM, Shintaro Fujiwara < shintaro.fujiwara@gmail.com > wrote:
Hi, I run SELinux on Fedora 21. I got this alert.
What's this?
SELinux is preventing /usr/sbin/logrotate from read access on the directory /var/cache/dnf.
***** Plugin catchall (100. confidence) suggests **************************
Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path /usr/sbin/logrotate Port <Unknown> Host localhost.localdomain Source RPM Packages logrotate-3.8.7-4.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-15 07:21:01 JST Last Seen 2014-12-15 07:21:01 JST Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d
Raw Audit Messages type=AVC msg=audit(1418595661.775:465): avc: denied { read } for pid=6758 comm="logrotate" name="dnf" dev="dm-1" ino=3148310 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0 items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
[fujiwara@localhost ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
-- 日本にヘヴィメタル・ハードロックを根付かせるページ http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト) http://sourceforge.net/projects/webon/ https://github.com/intrajp/irforum_jp
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Jeremy Young , M.S., RHCSA
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Bug si in MODIFIED state. https://bugzilla.redhat.com/show_bug.cgi?id=1163438
I make also new build during this day.
-- Best regards, Lukas Vrabec.
----- Original Message ----- From: "Shintaro Fujiwara" shintaro.fujiwara@gmail.com To: "Lukas Vrabec" lvrabec@redhat.com Cc: "Jeremy Young" jrm16020@gmail.com, selinux@lists.fedoraproject.org Sent: Monday, 15 December, 2014 9:43:36 AM Subject: Re: SELinux alert in Fedora 21
Thanks, friends. I will.
2014-12-15 17:33 GMT+09:00, Lukas Vrabec lvrabec@redhat.com:
Hi,
Please follow this in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1163438. We know about this issue.
I'm going to fix it.
-- Best regards, Lukas Vrabec.
----- Original Message ----- From: "Jeremy Young" jrm16020@gmail.com To: "Shintaro Fujiwara" shintaro.fujiwara@gmail.com Cc: selinux@lists.fedoraproject.org Sent: Sunday, 14 December, 2014 7:22:44 PM Subject: Re: SELinux alert in Fedora 21
I got the same message today. It looks harmless, and it's either a bug in policy or is a good reason for dnf to store its logs some place other than /var/cache . The cron that generates this is run yearly, so it's likely that this isn't encountered that often.
[root@localhost jrm16020]# cat /etc/logrotate.d/dnf /var/log/dnf.log { missingok notifempty size 30k yearly create 0600 root root }
/var/log/dnf.rpm.log { missingok notifempty size 30k yearly create 0600 root root }
/var/log/dnf.plugin.log { missingok notifempty size 30k yearly create 0600 root root }
/var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root }
[root@localhost jrm16020]# sesearch -A -C -s logrotate_t -t rpm_var_cache_t -c dir Found 1 semantic av rules: allow logrotate_t file_type : dir { getattr search open } ;
On Sun, Dec 14, 2014 at 4:27 PM, Shintaro Fujiwara < shintaro.fujiwara@gmail.com > wrote:
Hi, I run SELinux on Fedora 21. I got this alert.
What's this?
SELinux is preventing /usr/sbin/logrotate from read access on the directory /var/cache/dnf.
***** Plugin catchall (100. confidence) suggests **************************
Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path /usr/sbin/logrotate Port <Unknown> Host localhost.localdomain Source RPM Packages logrotate-3.8.7-4.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-15 07:21:01 JST Last Seen 2014-12-15 07:21:01 JST Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d
Raw Audit Messages type=AVC msg=audit(1418595661.775:465): avc: denied { read } for pid=6758 comm="logrotate" name="dnf" dev="dm-1" ino=3148310 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0 items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
[fujiwara@localhost ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 29
-- 日本にヘヴィメタル・ハードロックを根付かせるページ http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト) http://sourceforge.net/projects/webon/ https://github.com/intrajp/irforum_jp
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- Jeremy Young , M.S., RHCSA
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org