Bug 236855

Summary: LSPP: aide can't write its log file
Product: Red Hat Enterprise Linux 5 Reporter: George C. Wilson <ltcgcw>
Component: aideAssignee: Steve Conklin <sconklin>
Status: CLOSED ERRATA QA Contact: Tom Kincaid <tkincaid>
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: dwalsh, iboverma, krisw, linda.knippers
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2007-0539 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-04 14:03:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 224041    
Attachments:
Description Flags
Adds /var/log/aide to spec file.
none
Sets aide log file path to /var/log/aide/aide.log
none
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts
none
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts none

Description George C. Wilson 2007-04-18 00:47:24 UTC 
Description of problem:

The aide utility cannot write /var/log/aide.log. It attempts to create it at
SystemHigh. But it causes a constraint violations because the /var/log/is
ranged. It either needs an MLS override or its own SystemHigh /var/log/aide
directory. After discussion, the later solution seems preferable.

Version-Release number of selected component (if applicable):

aide-0.12-8.el5

How reproducible:

run aide --init

Steps to Reproduce:
1. Install the LSPP evaluated configuration
2. run aide --init
3. See the message complaining that aide cannot open /var/log/aide.log
4. audit2why < /var/log/audit/audit.log
5. See that it is a constraint violation
  
Actual results:

Couldn't open file /var/lib/aide/aide.db.new.gz for writing

Expected results:

aide should initialize its database and writes its log file without complaint.

Additional info:
Comment 1 George C. Wilson 2007-04-18 01:08:05 UTC 
Created attachment 152866 [details]
Adds /var/log/aide to spec file.

LSPP-specific aide configuration seems to be done outside the build tree. This
patch is directly against SPECS/aide.spec. Built but not tested.
Comment 2 George C. Wilson 2007-04-18 01:10:12 UTC 
Created attachment 152867 [details]
Sets aide log file path to /var/log/aide/aide.log

LSPP-specific aide configuration seems to be done outside the build tree. This
patch is directly against SOURCES/aide.conf. Built but not tested.
Comment 3 George C. Wilson 2007-04-18 01:12:00 UTC 
Created attachment 152868 [details]
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts

Built but not tested.
Comment 5 George C. Wilson 2007-04-18 13:22:11 UTC 
Created attachment 152901 [details]
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts

Tested previous patch and updated it. aide requires additional TE perms as
well. aide with the above 2 patches seems to work well with this patch.
Comment 6 Steve Grubb 2007-04-18 21:53:57 UTC 
aide-0.12-9 was built. I think we still need selinux-policy package built.
Comment 7 Daniel Walsh 2007-04-19 02:35:59 UTC 
Fixed in Selinus-policy- 2.4.6-60
Comment 8 Steve Grubb 2007-04-19 13:20:39 UTC 
Ok, looks like we are ready for re-test. Thanks.
Comment 9 George C. Wilson 2007-04-19 20:26:32 UTC 
Thanks for making the changes. The aide package looks OK. The -60 policy adds
the file contexts but not the additional TE perms in my 2nd attempt at the
patch. So I still have to add a module with allow aide_t aide_log_t:dir {
add_name write }; to permit aide to create its log file. I think we'll need that
allow rule or an interface that provides the same permissions.
Comment 10 George C. Wilson 2007-04-21 00:12:52 UTC 
This looks good with the 62 policy.
Comment 15 Red Hat Bugzilla 2007-09-04 14:03:02 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0539.html