SELinux alert in Fedora 21

Lukas Vrabec lvrabec at redhat.com
Mon Dec 15 10:10:33 UTC 2014 

Bug si in MODIFIED state. https://bugzilla.redhat.com/show_bug.cgi?id=1163438

I make also new build during this day.

--
Best regards, 
Lukas Vrabec. 


----- Original Message -----
From: "Shintaro Fujiwara" <shintaro.fujiwara at gmail.com>
To: "Lukas Vrabec" <lvrabec at redhat.com>
Cc: "Jeremy Young" <jrm16020 at gmail.com>, selinux at lists.fedoraproject.org
Sent: Monday, 15 December, 2014 9:43:36 AM
Subject: Re: SELinux alert in Fedora 21

Thanks, friends.
I will.

2014-12-15 17:33 GMT+09:00, Lukas Vrabec <lvrabec at redhat.com>:
> Hi,
>
> Please follow this in BZ
> https://bugzilla.redhat.com/show_bug.cgi?id=1163438. We know about this
> issue.
>
> I'm going to fix it.
>
> --
> Best regards,
> Lukas Vrabec.
>
>
> ----- Original Message -----
> From: "Jeremy Young" <jrm16020 at gmail.com>
> To: "Shintaro Fujiwara" <shintaro.fujiwara at gmail.com>
> Cc: selinux at lists.fedoraproject.org
> Sent: Sunday, 14 December, 2014 7:22:44 PM
> Subject: Re: SELinux alert in Fedora 21
>
> I got the same message today. It looks harmless, and it's either a bug in
> policy or is a good reason for dnf to store its logs some place other than
> /var/cache . The cron that generates this is run yearly, so it's likely that
> this isn't encountered that often.
>
> [root at localhost jrm16020]# cat /etc/logrotate.d/dnf
> /var/log/dnf.log {
> missingok
> notifempty
> size 30k
> yearly
> create 0600 root root
> }
>
> /var/log/dnf.rpm.log {
> missingok
> notifempty
> size 30k
> yearly
> create 0600 root root
> }
>
> /var/log/dnf.plugin.log {
> missingok
> notifempty
> size 30k
> yearly
> create 0600 root root
> }
>
> /var/cache/dnf/*/*/hawkey.log {
> missingok
> notifempty
> size 30k
> yearly
> create 0600 root root
> }
>
>
> [root at localhost jrm16020]# sesearch -A -C -s logrotate_t -t rpm_var_cache_t
> -c dir
> Found 1 semantic av rules:
> allow logrotate_t file_type : dir { getattr search open } ;
>
> On Sun, Dec 14, 2014 at 4:27 PM, Shintaro Fujiwara <
> shintaro.fujiwara at gmail.com > wrote:
>
>
> Hi, I run SELinux on Fedora 21.
> I got this alert.
>
> What's this?
>
>
> SELinux is preventing /usr/sbin/logrotate from read access on the directory
> /var/cache/dnf.
>
> ***** Plugin catchall (100. confidence) suggests **************************
>
> Additional Information:
> Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
> Target Context system_u:object_r:rpm_var_cache_t:s0
> Target Objects /var/cache/dnf [ dir ]
> Source logrotate
> Source Path /usr/sbin/logrotate
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages logrotate-3.8.7-4.fc21.x86_64
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-99.fc21.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 3.17.6-300.fc21.x86_64
> #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64
> Alert Count 1
> First Seen 2014-12-15 07:21:01 JST
> Last Seen 2014-12-15 07:21:01 JST
> Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d
>
> Raw Audit Messages
> type=AVC msg=audit(1418595661.775:465): avc: denied { read } for pid=6758
> comm="logrotate" name="dnf" dev="dm-1" ino=3148310
> scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0
>
>
> type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat
> success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0
> items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate
> subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
>
> Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
>
> [fujiwara at localhost ~]$ sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Max kernel policy version: 29
>
>
>
> --
> 日本にヘヴィメタル・ハードロックを根付かせるページ
> http://heavymetalhardrock.no-ip.info/
>
> 世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
> http://sourceforge.net/projects/segatex/
>
> CMS(PHPとPostgreSQLを使ったフリーソフト)
> http://sourceforge.net/projects/webon/
> https://github.com/intrajp/irforum_jp
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> --
> Jeremy Young , M.S., RHCSA
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>


-- 
日本にヘヴィメタル・ハードロックを根付かせるページ
http://heavymetalhardrock.no-ip.info/

世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/

CMS(PHPとPostgreSQLを使ったフリーソフト)
http://sourceforge.net/projects/webon/
https://github.com/intrajp/irforum_jp

More information about the selinux mailing list