Bug 1705083
Summary: | logrotate cannot access /var/log/boot.log | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Tomasz Kepczynski <tomek> |
Component: | plymouth | Assignee: | Ray Strode [halfline] <rstrode> |
Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.6 | CC: | bsanford, dahernan, hgomes, lvrabec, mboisver, mmalik, plautrba, rstrode, ssekidde, vmojzis, zpytela |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | plymouth-0.8.9-0.34.20140113.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-29 20:34:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomasz Kepczynski
2019-05-01 12:37:06 UTC
Here is the SELinux denial which appears when logrotate tries to rotate the /var/log/boot.log file and the log file is labeled with plymouthd_spool_t: ---- type=PROCTITLE msg=audit(05/02/2019 12:45:01.589:314) : proctitle=/usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf type=PATH msg=audit(05/02/2019 12:45:01.589:314) : item=0 name=/var/log/boot.log inode=16797764 dev=fd:02 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:plymouthd_spool_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(05/02/2019 12:45:01.589:314) : cwd=/etc/logrotate.d type=SYSCALL msg=audit(05/02/2019 12:45:01.589:314) : arch=x86_64 syscall=lstat success=no exit=EACCES(Permission denied) a0=0x1804e70 a1=0x7ffd8524bb20 a2=0x7ffd8524bb20 a3=0x2 items=1 ppid=17217 pid=17219 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=8 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/02/2019 12:45:01.589:314) : avc: denied { getattr } for pid=17219 comm=logrotate path=/var/log/boot.log dev="vda2" ino=16797764 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:plymouthd_spool_t:s0 tclass=file permissive=0 ---- # rpm -qf /etc/logrotate.d/bootlog plymouth-0.8.9-0.32.20140113.el7.x86_64 # rpm -qa selinux-policy\* | sort selinux-policy-3.13.1-245.el7.noarch selinux-policy-devel-3.13.1-245.el7.noarch selinux-policy-mls-3.13.1-245.el7.noarch selinux-policy-sandbox-3.13.1-245.el7.noarch selinux-policy-targeted-3.13.1-245.el7.noarch # One of the reproducers is: # anacron -fsn # SELinux context is stored in an extended attribute of a file, so it cannot be different for 2 different file paths. In policy, we have different context though: # matchpathcon /var/log/boot.log /var/spool/plymouth/boot.log /var/log/boot.log system_u:object_r:plymouthd_var_log_t:s0 /var/spool/plymouth/boot.log system_u:object_r:plymouthd_spool_t:s0 plymouth developers, would it be possible to avoid having such a hardlink? yea we dont' actually use that spool file anymore. we could just drop it. [root@kvm-02-guest11 ~]# ls -lZ /var/log/boot.log -rw-------. root root system_u:object_r:plymouthd_var_log_t:s0 /var/log/boot.log The /var/log/boot.log is no longer hardlinked to /var/spool/plymouth/boot.log Hey Ray, would you be so kind to let us know when the ERRATA is going to be released? I can see that it is being continuously delayed week by week, not sure if it is expected. I'm talking about RHBA-2020:54456-02. Thanks in advance. (In reply to David Hernández Fernández from comment #21) > Hey Ray, would you be so kind to let us know when the ERRATA is going to be > released? I can see that it is being continuously delayed week by week, not > sure if it is expected. I'm talking about RHBA-2020:54456-02. Thanks in > advance. David, unfortunately the GA keeps getting pushed back due to RC blocking issues. As of right now the GA is set for September 29th. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (plymouth bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4012 |