-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hey Guys,
Any ideas why logrotate is trying to access /root as shown by the avc message bellow:
lrfurtado:~# ausearch -ts today - ---- time->Thu Mar 24 06:25:45 2011 type=SYSCALL msg=audit(1300947945.464:26): arch=40000003 syscall=5 success=no exit=-13 a0=88404c0 a1=8000 a2=0 a3=8000 items=0 ppid=13192 pid=13193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1300947945.464:26): avc: denied { search } for pid=13193 comm="logrotate" name="root" dev=xvda ino=401409 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
is this the issue described here :
https://bugzilla.redhat.com/show_bug.cgi?id=471463
For now I have added :
allow logrotate_t unconfined_home_dir_t:dir search;
to my local module to shut up the avc messages. IS there any to stop logrotate from generating those AVC messages other then adding the allow rule above?
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/24/2011 02:08 PM, Luciano Furtado wrote:
Hey Guys,
Any ideas why logrotate is trying to access /root as shown by the avc message bellow:
lrfurtado:~# ausearch -ts today
time->Thu Mar 24 06:25:45 2011 type=SYSCALL msg=audit(1300947945.464:26): arch=40000003 syscall=5 success=no exit=-13 a0=88404c0 a1=8000 a2=0 a3=8000 items=0 ppid=13192 pid=13193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1300947945.464:26): avc: denied { search } for pid=13193 comm="logrotate" name="root" dev=xvda ino=401409 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
is this the issue described here :
https://bugzilla.redhat.com/show_bug.cgi?id=471463
For now I have added :
allow logrotate_t unconfined_home_dir_t:dir search;
to my local module to shut up the avc messages. IS there any to stop logrotate from generating those AVC messages other then adding the allow rule above?
Best Regards. Luciano
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If you are using a standard Fedora selinux policy package the /root directory should be labeled admin_home_t not user_home_dir_t?
rpm -q selinux-policy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Daniel,
Sorry I did not mention this earlier. This is a Debian machine. I was not aware that they had their own policies.
lrfurtado:~# dpkg -l | grep selinux ii libselinux1 2.0.65-5 SELinux shared libraries ii python-selinux 2.0.65-5 Python bindings to SELinux shared libraries ii selinux-basics 0.3.5 SELinux basic support ii selinux-policy-default 2:0.0.20080702-6 Strict and Targeted variants of the SELinux ii selinux-policy-dev 2:0.0.20080702-6 Headers from the SELinux reference policy fo ii selinux-utils 2.0.65-5 SELinux utility programs lrfurtado:~# dpkg -l | grep logrotate ii logrotate 3.7.1-5 Log rotation utility lrfurtado:~# cat /etc/debian_version 5.0.7 lrfurtado:~#
On 11-03-24 14:16, Daniel J Walsh wrote:
On 03/24/2011 02:08 PM, Luciano Furtado wrote:
Hey Guys,
Any ideas why logrotate is trying to access /root as shown by the avc message bellow:
lrfurtado:~# ausearch -ts today
time->Thu Mar 24 06:25:45 2011 type=SYSCALL msg=audit(1300947945.464:26): arch=40000003 syscall=5 success=no exit=-13 a0=88404c0 a1=8000 a2=0 a3=8000 items=0 ppid=13192 pid=13193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1300947945.464:26): avc: denied { search } for pid=13193 comm="logrotate" name="root" dev=xvda ino=401409 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
is this the issue described here :
For now I have added :
allow logrotate_t unconfined_home_dir_t:dir search;
to my local module to shut up the avc messages. IS there any to stop logrotate from generating those AVC messages other then adding the allow rule above?
Best Regards. Luciano
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/24/2011 04:42 PM, Luciano Furtado wrote:
Hi Daniel,
Sorry I did not mention this earlier. This is a Debian machine. I was not aware that they had their own policies.
lrfurtado:~# dpkg -l | grep selinux ii libselinux1 2.0.65-5 SELinux shared libraries ii python-selinux 2.0.65-5 Python bindings to SELinux shared libraries ii selinux-basics 0.3.5 SELinux basic support ii selinux-policy-default 2:0.0.20080702-6 Strict and Targeted variants of the SELinux ii selinux-policy-dev 2:0.0.20080702-6 Headers from the SELinux reference policy fo ii selinux-utils 2.0.65-5 SELinux utility programs lrfurtado:~# dpkg -l | grep logrotate ii logrotate 3.7.1-5 Log rotation utility lrfurtado:~# cat /etc/debian_version 5.0.7 lrfurtado:~#
On 11-03-24 14:16, Daniel J Walsh wrote:
On 03/24/2011 02:08 PM, Luciano Furtado wrote:
Hey Guys,
Any ideas why logrotate is trying to access /root as shown by the avc message bellow:
lrfurtado:~# ausearch -ts today
time->Thu Mar 24 06:25:45 2011 type=SYSCALL msg=audit(1300947945.464:26): arch=40000003 syscall=5 success=no exit=-13 a0=88404c0 a1=8000 a2=0 a3=8000 items=0 ppid=13192 pid=13193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1300947945.464:26): avc: denied { search } for pid=13193 comm="logrotate" name="root" dev=xvda ino=401409 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
is this the issue described here :
For now I have added :
allow logrotate_t unconfined_home_dir_t:dir search;
to my local module to shut up the avc messages. IS there any to stop logrotate from generating those AVC messages other then adding the allow rule above?
Best Regards. Luciano
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
In Fedora we allow logrotate to search all directories since log files could be stored anywhere.
One think I have noticed is lots of apps look at the default directory where they are started. So if while sitting in the /root directory you restart a confined daemon you can get this type of AVC.
I would also look in /etc/logrotate.d to see if anything says to look in /root for content.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/24/2011 09:42 PM, Luciano Furtado wrote:
Hi Daniel,
Sorry I did not mention this earlier. This is a Debian machine. I was not aware that they had their own policies.
lrfurtado:~# dpkg -l | grep selinux ii libselinux1 2.0.65-5 SELinux shared libraries ii python-selinux 2.0.65-5 Python bindings to SELinux shared libraries ii selinux-basics 0.3.5 SELinux basic support ii selinux-policy-default 2:0.0.20080702-6 Strict and Targeted variants of the SELinux ii selinux-policy-dev 2:0.0.20080702-6 Headers from the SELinux reference policy fo ii selinux-utils 2.0.65-5 SELinux utility programs lrfurtado:~# dpkg -l | grep logrotate ii logrotate 3.7.1-5 Log rotation utility lrfurtado:~# cat /etc/debian_version 5.0.7 lrfurtado:~#
On 11-03-24 14:16, Daniel J Walsh wrote:
On 03/24/2011 02:08 PM, Luciano Furtado wrote:
Hey Guys,
Any ideas why logrotate is trying to access /root as shown by the avc message bellow:
lrfurtado:~# ausearch -ts today
time->Thu Mar 24 06:25:45 2011 type=SYSCALL msg=audit(1300947945.464:26): arch=40000003 syscall=5 success=no exit=-13 a0=88404c0 a1=8000 a2=0 a3=8000 items=0 ppid=13192 pid=13193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1300947945.464:26): avc: denied { search } for pid=13193 comm="logrotate" name="root" dev=xvda ino=401409 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
Were you maybe running logrotate manually as root? It may be a "current pwd" thing.
is this the issue described here :
For now I have added :
allow logrotate_t unconfined_home_dir_t:dir search;
to my local module to shut up the avc messages. IS there any to stop logrotate from generating those AVC messages other then adding the allow rule above?
Best Regards. Luciano
- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Luciano Furtado