Description of problem:
SELinux denies access while trying to feed IDM's /var/log/pki/pki-tomcat/ca/transaction files into rsyslogd through imfile module.
Version-Release number of selected component (if applicable):
- Red Hat Enterprise Linux Server release 7.4 (Maipo)
- Red Hat IDM 4.5 (ipa-server-4.5.0-21.el7_4.1.2)
How reproducible:
Steps to Reproduce:
1. Install RHEL 7.4 and IDM
2. Create an rsyslog.d conf file like this:
input(
type="imfile"
ruleset="remote_ipa_logger"
file="/var/log/pki/pki-tomcat/ca/transactions"
facility="local6"
severity="info"
tag="ipa-ca-transaction"
)
Actual results:
Checking /var/log/audit/audit.log, it reports:
type=AVC msg=audit(..timestamp..): avc: denied { search } for pid=xyz comm="in:imfile" name="pki" dev="dm-5" ino=179 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:pki_log_t:s0 tclass=dir
Expected results:
No AVC denies
Additional info:
Suggested policy from audit2allow is:
allow syslogd_t pki_log_t:dir search;
Suggested policy was successfully compiled and loaded into the system. It should be allowed by default, though.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:3111
Description of problem: SELinux denies access while trying to feed IDM's /var/log/pki/pki-tomcat/ca/transaction files into rsyslogd through imfile module. Version-Release number of selected component (if applicable): - Red Hat Enterprise Linux Server release 7.4 (Maipo) - Red Hat IDM 4.5 (ipa-server-4.5.0-21.el7_4.1.2) How reproducible: Steps to Reproduce: 1. Install RHEL 7.4 and IDM 2. Create an rsyslog.d conf file like this: input( type="imfile" ruleset="remote_ipa_logger" file="/var/log/pki/pki-tomcat/ca/transactions" facility="local6" severity="info" tag="ipa-ca-transaction" ) Actual results: Checking /var/log/audit/audit.log, it reports: type=AVC msg=audit(..timestamp..): avc: denied { search } for pid=xyz comm="in:imfile" name="pki" dev="dm-5" ino=179 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:pki_log_t:s0 tclass=dir Expected results: No AVC denies Additional info: Suggested policy from audit2allow is: allow syslogd_t pki_log_t:dir search; Suggested policy was successfully compiled and loaded into the system. It should be allowed by default, though.