sesearch output

Daniel J Walsh dwalsh at redhat.com
Tue Oct 16 15:20:57 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/16/2012 10:39 AM, Moray Henderson wrote:
> On CentOS 6 I'm trying to get logrotate to work on some web files.  At the 
> moment they're httpd_sys_content_t and give
> 
> Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512): avc: 
> denied  { read write } for  pid=1275 comm="logrotate" name="dnsview.html" 
> dev=dm-4 ino=263703 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
> 
> I wanted to see what did have access to those files, so used
> 
> # sesearch --allow -t httpd_sys_content_t | less
> 
> I thought that would show me all the allow rules with a target of 
> httpd_sys_content_t, but it seems to show other stuff as well, which 
> confused me:
> 
> allow logwatch_t file_type : filesystem getattr ; allow logwatch_t
> file_type : file getattr ; allow logwatch_t file_type : dir { getattr
> search open } ; allow logwatch_t file_type : lnk_file getattr ;
> 
> and so on.  Is that supposed to show up?  Does it mean that logwatch can 
> search all directories regardless of their context?
> 
> Is there a context that would be appropriate for my files or will I need 
> custom policy if I want to rotate them?
> 
> 
> 
> Moray. "To err is human; to purr, feline."
> 
> 
> 
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
You should be looking at logrotate_t not logwatch_t

# sesearch -A -s logrotate_t -p write -c file | grep logfile
   allow logrotate_t logfile : file { ioctl read write create getattr setattr
lock append unlink link rename execute execute_no_trans open } ;


First off I would look at if this is actually necessary or just a leak.  Why
would logrotate want to read/write dnsview.html?  You might be best off adding
a dontaudit rule, although figuring out if this is a leak and fixing the leak
would be best.

Logwatch is allowed to manipulate log files so it is probably best to have
these be log files.

httpd_log_t maybe?  If this is actually necessary.

Logtotate and logwatch are able to search any directory yes.  But remember
search is different then list.  I need to search through all directories in a
path, but if I want to see the contents of a directory I need the list priv.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlB9e1kACgkQrlYvE4MpobPgmQCfRc9IiMKrlrTkNyOTb3qzjZfz
1ZMAoOHmpf6/anq+pCzoETMNCFc9Rc8P
=g/w4
-----END PGP SIGNATURE-----

More information about the selinux mailing list