avc denied from logrotate
Richard Hally
rhallyx at mindspring.com
Sat Jul 10 06:57:57 UTC 2004
Attached and below is a short /var/log/messages file showing the avc
denied messages that are generated using the current strict
policy(selinux-policy-strict-sources-1.14.1-5). Note the messages
inserted with "logger" that indicate where I switched from enforcing to
permissive to actually get logrotate to work.
HTH and please let me know if you need additional information.
Richard Hally
[root at new2 root]# cat /home/richard/messages.1
Jul 10 02:39:16 new2 syslogd 1.4.1: restart.
Jul 10 02:39:23 new2 kernel: audit(1089441563.715:0): avc: granted {
setenforce } for pid=4032 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Jul 10 02:40:09 new2 kernel: audit(1089441609.750:0): avc: denied {
search } for pid=4045 exe=/usr/bin/postgres name=pgsql dev=hda2
ino=722952 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:postgresql_db_t tclass=dir
Jul 10 02:43:15 new2 richard: that was logrotate in enforcing
Jul 10 02:43:34 new2 richard: now setting permissive
Jul 10 02:43:46 new2 kernel: audit(1089441826.619:0): avc: granted {
setenforce } for pid=4101 exe=/usr/bin/setenforce
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t
tclass=security
Jul 10 02:44:08 new2 richard: now doing logrotate
Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied {
transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups
dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t
tcontext=root:system_r:initrc_t tclass=process
Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc: denied {
use } for pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2
ino=1064669 scontext=root:system_r:consoletype_t
tcontext=root:sysadm_r:logrotate_t tclass=fd
Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc: denied {
ioctl } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
ino=2 scontext=root:system_r:cupsd_t
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc: denied {
getattr } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
ino=2 scontext=root:system_r:cupsd_t
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied {
read } for pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311
scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t
tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied {
getattr } for pid=4121 exe=/bin/bash path=/root/.bashrc dev=hda2
ino=130311 scontext=root:system_r:cupsd_t
tcontext=root:object_r:staff_home_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied {
search } for pid=4123 exe=/usr/bin/id name=selinux dev=hda2 ino=913073
scontext=root:system_r:cupsd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied {
read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871
scontext=root:system_r:cupsd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied {
getattr } for pid=4123 exe=/usr/bin/id path=/etc/selinux/config
dev=hda2 ino=914871 scontext=root:system_r:cupsd_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 cups: cupsd startup succeeded
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: messages.1
Url: http://lists.fedoraproject.org/pipermail/selinux/attachments/20040710/89a4d51b/attachment.pl
More information about the selinux
mailing list