Bug 1064326
| Summary: | SELinux prevents logrotate from reading /var/log/core directory | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 6.5 | CC: | dwalsh, paulds, ssekidde | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.7.19-249.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1064322 | |||
| : | 1153333 (view as bug list) | Environment: | ||
| Last Closed: | 2014-10-14 08:00:06 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1131460, 1153333 | |||
No matter when bz#1066407 gets fixed, the /var/log/core directory should be labeled virt_log_t. sesearch -T | grep virt_cache_t type_transition svirt_tcg_t var_t : file virt_cache_t; type_transition svirt_t var_t : file virt_cache_t; type_transition svirt_tcg_t var_t : dir virt_cache_t; type_transition svirt_t var_t : dir virt_cache_t; THe only way I now of create a virt_cache_t dir would be via a filetrans rule from a var_t, could /var/log have been mislabeled as var_t rather then var_log_t? The problem is in the package, it brings own labeling pattern (see also bz#1066407): # rpm -q --scripts vdsm | grep semanage /usr/sbin/semanage fcontext -a -t virt_cache_t '/var/log/core(/.*)?' # Ok. *** Bug 1097400 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |
Description of problem: * vdsm package contains a cronjob which runs logrotate each hour and the logrotate job wants to access *.dump files in /var/log/core directory Version-Release number of selected component (if applicable): selinux-policy-3.7.19-231.el6.noarch selinux-policy-doc-3.7.19-231.el6.noarch selinux-policy-minimum-3.7.19-231.el6.noarch selinux-policy-mls-3.7.19-231.el6.noarch selinux-policy-targeted-3.7.19-231.el6.noarch vdsm-4.13.0-23.1.el6rhs.x86_64 How reproducible: each hour Steps to Reproduce: 1) install vdsm package together with its dependencies 2) make sure that crond is running 3) wait for an hour or force the logrotate job to start Actual results (enforcing mode): ---- type=PATH msg=audit(02/12/2014 12:01:01.799:857) : item=0 name=/var/log/core inode=61398 dev=fc:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:virt_cache_t:s0 nametype=NORMAL type=CWD msg=audit(02/12/2014 12:01:01.799:857) : cwd=/ type=SYSCALL msg=audit(02/12/2014 12:01:01.799:857) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fff8acc33b0 a1=90800 a2=f1a73e a3=25 items=1 ppid=20006 pid=20008 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=109 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/12/2014 12:01:01.799:857) : avc: denied { read } for pid=20008 comm=logrotate name=core dev=vda3 ino=61398 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_cache_t:s0 tclass=dir ---- Expected results: * no AVCs