Attached and below is a short /var/log/messages file showing the avc denied messages that are generated using the current strict policy(selinux-policy-strict-sources-1.14.1-5). Note the messages inserted with "logger" that indicate where I switched from enforcing to permissive to actually get logrotate to work. HTH and please let me know if you need additional information. Richard Hally
[root@new2 root]# cat /home/richard/messages.1 Jul 10 02:39:16 new2 syslogd 1.4.1: restart. Jul 10 02:39:23 new2 kernel: audit(1089441563.715:0): avc: granted { setenforce } for pid=4032 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security Jul 10 02:40:09 new2 kernel: audit(1089441609.750:0): avc: denied { search } for pid=4045 exe=/usr/bin/postgres name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jul 10 02:43:15 new2 richard: that was logrotate in enforcing Jul 10 02:43:34 new2 richard: now setting permissive Jul 10 02:43:46 new2 kernel: audit(1089441826.619:0): avc: granted { setenforce } for pid=4101 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security Jul 10 02:44:08 new2 richard: now doing logrotate Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied { transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t tcontext=root:system_r:initrc_t tclass=process Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc: denied { use } for pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2 ino=1064669 scontext=root:system_r:consoletype_t tcontext=root:sysadm_r:logrotate_t tclass=fd Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc: denied { ioctl } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc: denied { getattr } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied { read } for pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied { getattr } for pid=4121 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { search } for pid=4123 exe=/usr/bin/id name=selinux dev=hda2 ino=913073 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { getattr } for pid=4123 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 10 02:44:17 new2 cups: cupsd startup succeeded
Jul 10 02:39:16 new2 syslogd 1.4.1: restart. Jul 10 02:39:23 new2 kernel: audit(1089441563.715:0): avc: granted { setenforce } for pid=4032 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security Jul 10 02:40:09 new2 kernel: audit(1089441609.750:0): avc: denied { search } for pid=4045 exe=/usr/bin/postgres name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir Jul 10 02:43:15 new2 richard: that was logrotate in enforcing Jul 10 02:43:34 new2 richard: now setting permissive Jul 10 02:43:46 new2 kernel: audit(1089441826.619:0): avc: granted { setenforce } for pid=4101 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security Jul 10 02:44:08 new2 richard: now doing logrotate Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied { transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t tcontext=root:system_r:initrc_t tclass=process Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc: denied { use } for pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2 ino=1064669 scontext=root:system_r:consoletype_t tcontext=root:sysadm_r:logrotate_t tclass=fd Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc: denied { ioctl } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc: denied { getattr } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied { read } for pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied { getattr } for pid=4121 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { search } for pid=4123 exe=/usr/bin/id name=selinux dev=hda2 ino=913073 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=dir Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { getattr } for pid=4123 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file Jul 10 02:44:17 new2 cups: cupsd startup succeeded
On Sat, 10 Jul 2004 16:57, Richard Hally rhallyx@mindspring.com wrote:
Jul 10 02:44:08 new2 richard: now doing logrotate Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied { transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t tcontext=root:system_r:initrc_t tclass=process
The role sysadm_r is not permitted to have domain initrc_t. The options for solving this are 1: role sysadm_r types initrc_t; 2: role_transition sysadm_r initrc_exec_t system_r; domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t) 3: role_transition sysadm_r logrotate_exec_t system_r;
In option 2 the domain_auto_trans() is needed to prevent the command /etc/init.d/whatever from ending up in the context root:system_r:sysadm_t which is not a valid context.
The problem with option 1 is that initrc_t then launches other domains so it doesn't work.
Steve, what do you think about option 2 vs option 3?
Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc: denied { use } for pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2 ino=1064669 scontext=root:system_r:consoletype_t tcontext=root:sysadm_r:logrotate_t tclass=fd
I guess we need a dontaudit rule for that as there is: can_exec(logrotate_t, consoletype_exec_t)
So I put the following in logrotate.te: dontaudit consoletype_t logrotate_t:fd use;
Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc: denied { ioctl } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc: denied { getattr } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
The attached patch takes care of that.
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied { read } for pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file
In enforcing mode access to the parent directory is denied and that file will never be accessed.
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Maybe we should change id to read /proc/self/attr/current directly? We don't want to have to put in allow or dontaudit rules for every shell script that runs "id".
On Sun, 2004-07-11 at 02:37, Russell Coker wrote:
On Sat, 10 Jul 2004 16:57, Richard Hally rhallyx@mindspring.com wrote:
Jul 10 02:44:08 new2 richard: now doing logrotate Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied { transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t tcontext=root:system_r:initrc_t tclass=process
The role sysadm_r is not permitted to have domain initrc_t. The options for solving this are 1: role sysadm_r types initrc_t; 2: role_transition sysadm_r initrc_exec_t system_r; domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t) 3: role_transition sysadm_r logrotate_exec_t system_r;
In option 2 the domain_auto_trans() is needed to prevent the command /etc/init.d/whatever from ending up in the context root:system_r:sysadm_t which is not a valid context.
The problem with option 1 is that initrc_t then launches other domains so it doesn't work.
Steve, what do you think about option 2 vs option 3?
The policy is already set up for sysadm_r:logrotate_t to transition to system_r:initrc_t upon executing init scripts; logrotate.te includes domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t), and initrc.te includes role_transition sysadm_r initrc_exec_t system_r;. The only item missing is that logrotate_t needs the priv_system_role attribute for the corresponding constraint. That is all that needs to be changed.
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Maybe we should change id to read /proc/self/attr/current directly? We don't want to have to put in allow or dontaudit rules for every shell script that runs "id".
libselinux attempts to read /etc/selinux/config upon initialization, but only truly needs access if the program will ultimately need a path to a policy file (either directly or due to a call to a libselinux function that reads a policy file). I don't think id falls into this category, so you can just dontaudit the permission.
selinux@lists.fedoraproject.org
-
Richard Hally -
Russell Coker -
Stephen Smalley