sesearch output
Daniel J Walsh
dwalsh at redhat.com
Tue Oct 16 15:20:57 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/16/2012 10:39 AM, Moray Henderson wrote:
> On CentOS 6 I'm trying to get logrotate to work on some web files. At the
> moment they're httpd_sys_content_t and give
>
> Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512): avc:
> denied { read write } for pid=1275 comm="logrotate" name="dnsview.html"
> dev=dm-4 ino=263703 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
>
> I wanted to see what did have access to those files, so used
>
> # sesearch --allow -t httpd_sys_content_t | less
>
> I thought that would show me all the allow rules with a target of
> httpd_sys_content_t, but it seems to show other stuff as well, which
> confused me:
>
> allow logwatch_t file_type : filesystem getattr ; allow logwatch_t
> file_type : file getattr ; allow logwatch_t file_type : dir { getattr
> search open } ; allow logwatch_t file_type : lnk_file getattr ;
>
> and so on. Is that supposed to show up? Does it mean that logwatch can
> search all directories regardless of their context?
>
> Is there a context that would be appropriate for my files or will I need
> custom policy if I want to rotate them?
>
>
>
> Moray. "To err is human; to purr, feline."
>
>
>
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
You should be looking at logrotate_t not logwatch_t
# sesearch -A -s logrotate_t -p write -c file | grep logfile
allow logrotate_t logfile : file { ioctl read write create getattr setattr
lock append unlink link rename execute execute_no_trans open } ;
First off I would look at if this is actually necessary or just a leak. Why
would logrotate want to read/write dnsview.html? You might be best off adding
a dontaudit rule, although figuring out if this is a leak and fixing the leak
would be best.
Logwatch is allowed to manipulate log files so it is probably best to have
these be log files.
httpd_log_t maybe? If this is actually necessary.
Logtotate and logwatch are able to search any directory yes. But remember
search is different then list. I need to search through all directories in a
path, but if I want to see the contents of a directory I need the list priv.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlB9e1kACgkQrlYvE4MpobPgmQCfRc9IiMKrlrTkNyOTb3qzjZfz
1ZMAoOHmpf6/anq+pCzoETMNCFc9Rc8P
=g/w4
-----END PGP SIGNATURE-----
More information about the selinux
mailing list