avc denied from logrotate

Russell Coker russell at coker.com.au
Sun Jul 11 06:37:36 UTC 2004


On Sat, 10 Jul 2004 16:57, Richard Hally <rhallyx at mindspring.com> wrote:
> Jul 10 02:44:08 new2 richard: now doing logrotate
> Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc:  denied  {
> transition } for  pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups
> dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t
> tcontext=root:system_r:initrc_t tclass=process

The role sysadm_r is not permitted to have domain initrc_t.  The options for 
solving this are 1:
role sysadm_r types initrc_t;
2:
role_transition sysadm_r initrc_exec_t system_r;
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
3:
role_transition sysadm_r logrotate_exec_t system_r;

In option 2 the domain_auto_trans() is needed to prevent the 
command /etc/init.d/whatever from ending up in the context 
root:system_r:sysadm_t which is not a valid context.

The problem with option 1 is that initrc_t then launches other domains so it 
doesn't work.

Steve, what do you think about option 2 vs option 3?

> Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc:  denied  {
> use } for  pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2
> ino=1064669 scontext=root:system_r:consoletype_t
> tcontext=root:sysadm_r:logrotate_t tclass=fd

I guess we need a dontaudit rule for that as there is:
can_exec(logrotate_t, consoletype_exec_t)

So I put the following in logrotate.te:
dontaudit consoletype_t logrotate_t:fd use;

> Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
> Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc:  denied  {
> ioctl } for  pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
> ino=2 scontext=root:system_r:cupsd_t
> tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
> Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc:  denied  {
> getattr } for  pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts
> ino=2 scontext=root:system_r:cupsd_t
> tcontext=root:object_r:sysadm_devpts_t tclass=chr_file

The attached patch takes care of that.

> Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc:  denied  {
> read } for  pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311
> scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t
> tclass=file

In enforcing mode access to the parent directory is denied and that file will 
never be accessed.

> Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc:  denied  {
> read } for  pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871
> scontext=root:system_r:cupsd_t
> tcontext=system_u:object_r:selinux_config_t tclass=file

Maybe we should change id to read /proc/self/attr/current directly?  We don't 
want to have to put in allow or dontaudit rules for every shell script that 
runs "id".

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-diff
Size: 326 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20040711/01546df5/attachment.bin 


More information about the selinux mailing list