SELinux alert in Fedora 21

Mon Dec 15 08:33:18 UTC 2014

Hi, 

Please follow this in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1163438. We know about this issue. 

I'm going to fix it.

--
Best regards, 
Lukas Vrabec. 

----- Original Message -----
From: "Jeremy Young" <jrm16020 at gmail.com>
To: "Shintaro Fujiwara" <shintaro.fujiwara at gmail.com>
Cc: selinux at lists.fedoraproject.org
Sent: Sunday, 14 December, 2014 7:22:44 PM
Subject: Re: SELinux alert in Fedora 21

I got the same message today. It looks harmless, and it's either a bug in policy or is a good reason for dnf to store its logs some place other than /var/cache . The cron that generates this is run yearly, so it's likely that this isn't encountered that often. 

[root at localhost jrm16020]# cat /etc/logrotate.d/dnf 
/var/log/dnf.log { 
missingok 
notifempty 
size 30k 
yearly 
create 0600 root root 
} 

/var/log/dnf.rpm.log { 
missingok 
notifempty 
size 30k 
yearly 
create 0600 root root 
} 

/var/log/dnf.plugin.log { 
missingok 
notifempty 
size 30k 
yearly 
create 0600 root root 
} 

/var/cache/dnf/*/*/hawkey.log { 
missingok 
notifempty 
size 30k 
yearly 
create 0600 root root 
} 

[root at localhost jrm16020]# sesearch -A -C -s logrotate_t -t rpm_var_cache_t -c dir 
Found 1 semantic av rules: 
allow logrotate_t file_type : dir { getattr search open } ; 

On Sun, Dec 14, 2014 at 4:27 PM, Shintaro Fujiwara < shintaro.fujiwara at gmail.com > wrote: 

Hi, I run SELinux on Fedora 21. 
I got this alert. 

What's this? 

SELinux is preventing /usr/sbin/logrotate from read access on the directory /var/cache/dnf. 

***** Plugin catchall (100. confidence) suggests ************************** 
Additional Information: 
Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 
Target Context system_u:object_r:rpm_var_cache_t:s0 
Target Objects /var/cache/dnf [ dir ] 
Source logrotate 
Source Path /usr/sbin/logrotate 
Port <Unknown> 
Host localhost.localdomain 
Source RPM Packages logrotate-3.8.7-4.fc21.x86_64 
Target RPM Packages 
Policy RPM selinux-policy-3.13.1-99.fc21.noarch 
Selinux Enabled True 
Policy Type targeted 
Enforcing Mode Enforcing 
Host Name localhost.localdomain 
Platform Linux localhost.localdomain 3.17.6-300.fc21.x86_64 
#1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 
Alert Count 1 
First Seen 2014-12-15 07:21:01 JST 
Last Seen 2014-12-15 07:21:01 JST 
Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d 

Raw Audit Messages 
type=AVC msg=audit(1418595661.775:465): avc: denied { read } for pid=6758 comm="logrotate" name="dnf" dev="dm-1" ino=3148310 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 

type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0 items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 

Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read 

[fujiwara at localhost ~]$ sestatus 
SELinux status: enabled 
SELinuxfs mount: /sys/fs/selinux 
SELinux root directory: /etc/selinux 
Loaded policy name: targeted 
Current mode: enforcing 
Mode from config file: enforcing 
Policy MLS status: enabled 
Policy deny_unknown status: allowed 
Max kernel policy version: 29 

-- 
日本にヘヴィメタル・ハードロックを根付かせるページ 
http://heavymetalhardrock.no-ip.info/ 

世界中でセキュアＯＳのSELinuxを使いやすくするフリーソフト 
http://sourceforge.net/projects/segatex/ 

CMS（PHPとPostgreSQLを使ったフリーソフト） 
http://sourceforge.net/projects/webon/ 
https://github.com/intrajp/irforum_jp 

-- 
selinux mailing list 
selinux at lists.fedoraproject.org 
https://admin.fedoraproject.org/mailman/listinfo/selinux 

-- 
Jeremy Young , M.S., RHCSA 

--
selinux mailing list
selinux at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux