SELinux alert in Fedora 21
Jeremy Young
jrm16020 at gmail.com
Mon Dec 15 00:22:44 UTC 2014
I got the same message today. It looks harmless, and it's either a bug in
policy or is a good reason for dnf to store its logs some place other than
/var/cache . The cron that generates this is run yearly, so it's likely
that this isn't encountered that often.
[root at localhost jrm16020]# cat /etc/logrotate.d/dnf
/var/log/dnf.log {
missingok
notifempty
size 30k
yearly
create 0600 root root
}
/var/log/dnf.rpm.log {
missingok
notifempty
size 30k
yearly
create 0600 root root
}
/var/log/dnf.plugin.log {
missingok
notifempty
size 30k
yearly
create 0600 root root
}
*/var/cache/dnf/*/*/hawkey.log {*
* missingok*
* notifempty*
* size 30k*
* yearly*
* create 0600 root root*
*}*
[root at localhost jrm16020]# sesearch -A -C -s logrotate_t -t rpm_var_cache_t
-c dir
Found 1 semantic av rules:
allow logrotate_t file_type : dir { getattr search open } ;
On Sun, Dec 14, 2014 at 4:27 PM, Shintaro Fujiwara <
shintaro.fujiwara at gmail.com> wrote:
>
> Hi, I run SELinux on Fedora 21.
> I got this alert.
>
> What's this?
>
>
> SELinux is preventing /usr/sbin/logrotate from read access on the
> directory /var/cache/dnf.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
> Additional Information:
> Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
> Target Context system_u:object_r:rpm_var_cache_t:s0
> Target Objects /var/cache/dnf [ dir ]
> Source logrotate
> Source Path /usr/sbin/logrotate
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages logrotate-3.8.7-4.fc21.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-99.fc21.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 3.17.6-300.fc21.x86_64
> #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64
> x86_64
> Alert Count 1
> First Seen 2014-12-15 07:21:01 JST
> Last Seen 2014-12-15 07:21:01 JST
> Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d
>
> Raw Audit Messages
> type=AVC msg=audit(1418595661.775:465): avc: denied { read } for
> pid=6758 comm="logrotate" name="dnf" dev="dm-1" ino=3148310
> scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0
>
>
> type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat
> success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0
> items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate
> subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
>
> Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
>
> [fujiwara at localhost ~]$ sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Max kernel policy version: 29
>
>
>
> --
> 日本にヘヴィメタル・ハードロックを根付かせるページ
> http://heavymetalhardrock.no-ip.info/
>
> 世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
> http://sourceforge.net/projects/segatex/
>
> CMS(PHPとPostgreSQLを使ったフリーソフト)
> http://sourceforge.net/projects/webon/
> https://github.com/intrajp/irforum_jp
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
Jeremy Young <jrm16020 at gmail.com>, M.S., RHCSA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20141214/3e2a4636/attachment.html>
More information about the selinux
mailing list