| Summary: | SELinux is preventing /usr/bin/perl from search access on the directory logcheck. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Brian J. Murrell <brian> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | brian, herrold, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-10-12 12:17:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Could you collect the SELinux denials and attach them here? # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today The "-i" parameter is important because ausearch can translate "comm=7370616D64206368696C64" to something human readable. I have removed the "-ts today" from the ausearch line so that I could find the one that is in the message in Comment #1. I did that because I have installed a (temporary) local policy since filing this bug so that denials don't cause the program to fail. ---- type=SYSCALL msg=audit(28/09/16 04:09:19.042:7562) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x364da80 a1=0x1aac138 a2=0x1aac138 a3=0x1 items=0 ppid=8770 pid=5842 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null) type=AVC msg=audit(28/09/16 04:09:19.042:7562) : avc: denied { search } for pid=5842 comm=spamd child name=logcheck dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir ---- Of course, once I make a local exception for one AVC another pops up:
SELinux is preventing /usr/bin/perl from getattr access on the directory /var/lib/logcheck.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that perl should be allowed getattr access on the logcheck directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep 7370616D64206368696C64 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:spamd_t:s0
Target Context system_u:object_r:logwatch_cache_t:s0
Target Objects /var/lib/logcheck [ dir ]
Source 7370616D64206368696C64
Source Path /usr/bin/perl
Port <Unknown>
Host server.interlinx.bc.ca
Source RPM Packages perl-5.16.3-286.el7.x86_64
Target RPM Packages logcheck-1.3.15-2.el7.noarch
Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name server.interlinx.bc.ca
Platform Linux server.interlinx.bc.ca
3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18
19:05:49 UTC 2016 x86_64 x86_64
Alert Count 34
First Seen 2016-09-28 12:10:12 EDT
Last Seen 2016-09-29 08:09:21 EDT
Local ID 1a399aeb-26a9-4270-b8b3-fee2802c0571
Raw Audit Messages
type=AVC msg=audit(1475150961.45:12651): avc: denied { getattr } for pid=4087 comm=7370616D64206368696C64 path="/var/lib/logcheck" dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir
type=SYSCALL msg=audit(1475150961.45:12651): arch=x86_64 syscall=stat success=no exit=EACCES a0=3668810 a1=16b1138 a2=16b1138 a3=0 items=0 ppid=4083 pid=4087 auid=4294967295 uid=0 gid=0 euid=993 suid=0 fsuid=993 egid=991 sgid=0 fsgid=991 tty=(none) ses=4294967295 comm=7370616D64206368696C64 exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null)
Hash: 7370616D64206368696C64,spamd_t,logwatch_cache_t,dir,getattr
From ausearch:
type=SYSCALL msg=audit(29/09/16 08:09:21.045:12651) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x3668810 a1=0x16b1138 a2=0x16b1138 a3=0x0 items=0 ppid=4083 pid=4087 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(29/09/16 08:09:21.045:12651) : avc: denied { getattr } for pid=4087 comm=spamd child path=/var/lib/logcheck dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir
This one also looks related:
type=SYSCALL msg=audit(29/09/16 08:09:20.347:12648) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x5969d60 a1=0755 a2=0x7f1f80387edc a3=0x0 items=0 ppid=4083 pid=4087 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(29/09/16 08:09:20.347:12648) : avc: denied { write } for pid=4087 comm=spamd child name=logcheck dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir
Some more alerts:
----
type=SYSCALL msg=audit(30/09/16 04:09:12.303:16319) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x6b479a0 a1=0700 a2=0x7f36e75e7edc a3=0x0 items=0 ppid=8742 pid=8746 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(30/09/16 04:09:12.303:16319) : avc: denied { add_name } for pid=8746 comm=spamd child name=.spamassassin scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir
----
type=SYSCALL msg=audit(30/09/16 04:09:11.694:16318) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x65e5fc0 a1=0755 a2=0x7f36e75e7edc a3=0x0 items=0 ppid=8742 pid=8746 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(30/09/16 04:09:11.694:16318) : avc: denied { add_name } for pid=8746 comm=spamd child name=.razor scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir
We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. We're going to close this bug as WONTFIX because * of limited capacity of selinux-policy developers * the bug is related to EPEL component or 3rd party SW only * the bug appears in unsupported configuration We believe this bug can be fixed via a local policy module. For more information please see: * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow If you disagree, please re-open the bug. |
SELinux is preventing /usr/bin/perl from search access on the directory logcheck. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that perl should be allowed search access on the logcheck directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep 7370616D64206368696C64 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:spamd_t:s0 Target Context system_u:object_r:logwatch_cache_t:s0 Target Objects logcheck [ dir ] Source 7370616D64206368696C64 Source Path /usr/bin/perl Port <Unknown> Host server.interlinx.bc.ca Source RPM Packages perl-5.16.3-286.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-60.el7_2.9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name server.interlinx.bc.ca Platform Linux server.interlinx.bc.ca 3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18 19:05:49 UTC 2016 x86_64 x86_64 Alert Count 32 First Seen 2016-09-27 12:16:58 EDT Last Seen 2016-09-28 04:09:19 EDT Local ID 429f02c1-0582-4e1b-bb49-bb7994c594e0 Raw Audit Messages type=AVC msg=audit(1475050159.42:7562): avc: denied { search } for pid=5842 comm=7370616D64206368696C64 name="logcheck" dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir type=SYSCALL msg=audit(1475050159.42:7562): arch=x86_64 syscall=stat success=no exit=EACCES a0=364da80 a1=1aac138 a2=1aac138 a3=1 items=0 ppid=8770 pid=5842 auid=4294967295 uid=0 gid=0 euid=993 suid=0 fsuid=993 egid=991 sgid=0 fsgid=991 tty=(none) ses=4294967295 comm=7370616D64206368696C64 exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null) Hash: 7370616D64206368696C64,spamd_t,logwatch_cache_t,dir,search