Description of problem:
SELinux denies access while trying to feed IDM's /var/log/pki/pki-tomcat/ca/transaction files into rsyslogd through imfile module.
Version-Release number of selected component (if applicable):
- Red Hat Enterprise Linux Server release 7.4 (Maipo)
- Red Hat IDM 4.5 (ipa-server-4.5.0-21.el7_4.1.2)
How reproducible:
Steps to Reproduce:
1. Install RHEL 7.4 and IDM
2. Create an rsyslog.d conf file like this:
input(
type="imfile"
ruleset="remote_ipa_logger"
file="/var/log/pki/pki-tomcat/ca/transactions"
facility="local6"
severity="info"
tag="ipa-ca-transaction"
)
Actual results:
Checking /var/log/audit/audit.log, it reports:
type=AVC msg=audit(..timestamp..): avc: denied { search } for pid=xyz comm="in:imfile" name="pki" dev="dm-5" ino=179 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:pki_log_t:s0 tclass=dir
Expected results:
No AVC denies
Additional info:
Suggested policy from audit2allow is:
allow syslogd_t pki_log_t:dir search;
Suggested policy was successfully compiled and loaded into the system. It should be allowed by default, though.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:3111