Bug 1450789
| Summary: | SELinux is preventing anacrontab to execute su | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Luis Pigueiras <lpigueiras> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.3 | CC: | cww, lpigueiras, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, zpytela | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 7.4 | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-175.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-10 12:29:42 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1420851 | ||||||
| Attachments: |
|
||||||
In addition I have this custom module enabled (and it doesn't make any difference)
module local_rabbitmq_logrotate 1.0;
require {
type logrotate_t;
class passwd passwd;
}
#============= logrotate_t ==============
allow logrotate_t self:passwd passwd;
In addition I have this custom module enabled (and it doesn't make any difference)
module local_rabbitmq_logrotate 1.0;
require {
type logrotate_t;
class passwd passwd;
}
#============= logrotate_t ==============
allow logrotate_t self:passwd passwd;
*** Bug 1450788 has been marked as a duplicate of this bug. *** Luis, Could you run: # semodule -DB And then try to reproduce the scenario. Some of the SELinux denials can be dontaudited. Could you attach these denials? Thanks. Created attachment 1279898 [details]
audit log
I attached the audit.log with what I think they are the relevant logs. Let me know if you need anything else, or if you need more lines from the audit.log. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
Description of problem: I'm getting denials like this in /var/log/audit/audit.log, causing a bad rotation in the rabbitmq logs, because SELinux is preventing the postrotate of those logs. In /var/log/audit/audit.log: type=USER_AVC msg=audit(1494639849.391:137160): pid=21406 uid=0 auid=0 ses=10767 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc: denied { passwd } for scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?' Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7_3.16.noarch How reproducible: I'm seeing this only when logrotate is configured in /etc/cron.daily. You can probably see these denials trying to execute a postrotate that uses "su" Additional info: This was already reported and fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1354347 and https://bugzilla.redhat.com/show_bug.cgi?id=1283134 but I'm still seeing the problem.