Bug 1473255
| Summary: | Logrotate cannot access candlepin logs | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Lukas Pramuk <lpramuk> | |
| Component: | Candlepin | Assignee: | Alex Wood <awood> | |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> | |
| Severity: | high | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 6.3.0 | CC: | ahumbe, awood, bbuckingham, bcourt, cpatters, hajek, khowell, ktbzimm, lpramuk, mmccune, mstead, ramsingh, smane | |
| Target Milestone: | Unspecified | Keywords: | Triaged | |
| Target Release: | Unused | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | candlepin-2.0.39-1 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1473346 (view as bug list) | Environment: | ||
| Last Closed: | 2018-02-21 16:54:17 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1473346 | |||
| Bug Blocks: | ||||
Lukas, What version of candlepin and candlepin-selinux were you running when you saw this problem? Version-Release number of selected component (if applicable): @satellite-6.3.0-16.0.beta.el7sat.noarch candlepin-2.0.37-1.el7.noarch candlepin-selinux-2.0.37-1.el7.noarch on RHEL-7.4-20170630.1 Lukas, Can you post the output for `sestatus`? I'm having trouble reproducing this. I'm running under the "targeted" policy and I want to make sure what I'm doing squares with what you are doing. Hi Alex, It occurs after fresh satellite install on rhel 7.4 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Hope this helps commit ccf99e3502b56e782caf38cbc9ee043a0ec16248
Author: Alex Wood <awood>
Date: Mon Jul 24 16:23:53 2017 -0400
1473255: Fix SELinux error when logrotate runs on candlepin logs
Please note that this also needs to be pulled to Satellite 6.2 where it also occurs, just FYI Peter, yes, there are separate bugs created to get this into candlepin-0.9.54.x. We will be sure to get the fix into all appropriate candlepin versions. Thanks for the note, and the reminder! :) Moving to ON_QA since latest Satellite 6.3 snap includes candlepin-2.0.40-1.el7.noarch. VERIFIED.
@satellite-6.3.0-16.0.beta.el7sat.noarch
candlepin-selinux-2.0.40-1.el7.noarch
# audit2allow -a
<empty>
>>> no selinux denials
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
>
> For information on the advisory, and where to find the updated files, follow the link below.
>
> If the solution does not work for you, open a new bug report.
>
> https://access.redhat.com/errata/RHSA-2018:0336
|
Description of problem: Logrotate cannot access candlepin logs due to SELinux denails Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Have a Satellite running on rhel7.4 2. # audit2allow -a #============= logrotate_t ============== allow logrotate_t candlepin_var_log_t:file getattr; # grep avc: /var/log/audit/audit.log type=AVC msg=audit(1500281521.410:1851): avc: denied { getattr } for pid=25345 comm="logrotate" path="/var/log/candlepin/audit.log" dev="dm-0" ino=671118656 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file type=AVC msg=audit(1500281521.410:1852): avc: denied { getattr } for pid=25345 comm="logrotate" path="/var/log/candlepin/candlepin.log" dev="dm-0" ino=671118654 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file type=AVC msg=audit(1500281521.410:1853): avc: denied { getattr } for pid=25345 comm="logrotate" path="/var/log/candlepin/error.log" dev="dm-0" ino=671118655 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file type=AVC msg=audit(1500281521.413:1854): avc: denied { getattr } for pid=25345 comm="logrotate" path="/var/log/candlepin/audit.log" dev="dm-0" ino=671118656 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file type=AVC msg=audit(1500281521.413:1855): avc: denied { getattr } for pid=25345 comm="logrotate" path="/var/log/candlepin/candlepin.log" dev="dm-0" ino=671118654 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file type=AVC msg=audit(1500281521.413:1856): avc: denied { getattr } for pid=25345 comm="logrotate" path="/var/log/candlepin/error.log" dev="dm-0" ino=671118655 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file Actual results: logrotate cannot access candlepin logs due to selinux denails Expected results: no selinux denails