| Summary: | SELinux policy breaks rotation of chronyd logs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Pavel Kankovsky <peak> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.9 | CC: | dwalsh, lvrabec, mgrepl, mmalik, peak, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-297.el6 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-21 09:48:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Could you re-run the scenario in enforcing mode after making the logrotate_t domain permissive? # semanage permissive -a logrotate_t So that we know if there are additional SELinux denials. # ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today [root@xxxxx ~]# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
----
type=SYSCALL msg=audit(11/26/2016 03:29:01.799:3867) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7fff2ddd55a0 a1=O_RDONLY a2=0x1b6 a3=0x0 items=0 ppid=16372 pid=16373 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=592 comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/26/2016 03:29:01.799:3867) : avc: denied { open } for pid=16373 comm=chronyc name=chrony.keys dev=xvda1 ino=23521 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file
type=AVC msg=audit(11/26/2016 03:29:01.799:3867) : avc: denied { read } for pid=16373 comm=chronyc name=chrony.keys dev=xvda1 ino=23521 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file
----
type=SYSCALL msg=audit(11/26/2016 03:29:01.799:3868) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7fff2ddd5400 a2=0x7fff2ddd5400 a3=0x0 items=0 ppid=16372 pid=16373 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=592 comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/26/2016 03:29:01.799:3868) : avc: denied { getattr } for pid=16373 comm=chronyc path=/etc/chrony.keys dev=xvda1 ino=23521 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html |
Description of problem: SELinux does not allow logrotate to tell chronyd to reopen log files. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-292.el6.noarch (also: chrony-2.1.1-1.el6.x86_64) How reproducible: Easily. Steps to Reproduce: 1. Make sure SELinux is enabled and enforcing. 2. Install chrony. 3. Enable logging in /etc/chrony.conf (for instance, I wanted to enable the tracking log with "log tracking"). 4. Wait. Actual results: logrotate renames the current log file but the invocation of "chronyc -a cyclelogs" in its postrotate scriptlet fails because chronyc is running as logrotate_t and logrotate_t is not allowed to read chronyd_keys_t files like /etc/chrony.keys. chronyd does not create a new log file and keeps writing to the old one. Here is a sample record of the failure from audit.log: type=AVC msg=audit(1477445821.779:19618): avc: denied { read } for pid=11448 comm="chronyc" name="chrony.keys" dev=xvda1 ino=23521 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file type=SYSCALL msg=audit(1477445821.779:19618): arch=c000003e syscall=2 success=no exit=-13 a0=7ffeedc115e0 a1=0 a2=1b6 a3=0 items=0 ppid=11447 pid=11448 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2307 comm="chronyc" exe="/usr/bin/chronyc" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Expected results: chronyd closes the old log file, creates a new one and writes new log messages there. Additional info: Obviously, manual invocations of logrotate running as unconfined_t are not affected.