Bug 334401
Summary: | SELinux policyII | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Zdenek Kabelac <zkabelac> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | rh-bugzilla |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-23 16:01:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Zdenek Kabelac
2007-10-16 14:34:30 UTC
Why is tmpreaper reading /var/log? Is this normal behavior? Hi With Tomas Mraz we have probably concluded it might be eventually result of the package 'kismet' - thought I'm not sure as I'm not yet skilled enought in selinux - just reporting policy errors I can see. How come this is using tmpwatch and not logwatch to watch log files? [I assume you mean 'logrotate' but not 'logwatch'] kismet creates a new logfile set per session; rotating does not make sense there because this would rename files only but would not clean them up. In that case why not /var/run/kismet? We can add a label to the directory that kismet creates the log files in to allow tmpreaper to remove them. But I want to make sure that is the right thing to do. I would also like to get policy on kismet period. Especially since it claims to be a security package and it is potentially vulnerable to random network packets that it is collecting. Hmm as I can see now in my todays log - I got that one again - however now I'm not sure what I was running at this time :( But it is possible it is somehow connected with 'yum update' btw my yum.log-20071015 has the time 10:36 here is the message: SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /var/log (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: /var/log [ dir ]Affected RPM Packages: filesystem-2.4.11-1.fc8 [target]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 1First Seen: Čt 18. říjen 2007, 10:22:18 CESTLast Seen: Čt 18. říjen 2007, 10:22:18 CESTLocal ID: cfae21d2-8501-475a-b24c-a42f28ac70b0Line Numbers: Raw Audit Messages :avc: denied { getattr } for comm=tmpwatch dev=sda2 path=/var/log pid=4260 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 btw I've some more messages for my vmware running with my localhost nfs. I'll make another report. kismet creates logfiles which might be for interest after a reboot (which empties /var/run). Hence, /var/log/kismet seems to be a perfect choice for the logs. There should not be much difference for SELinux: just put the named label to /var/log/kismet instead of /var/run/kismet. Ok I added kismet policy. It will need some work. Please test it out and report back the avc's selinux-policy-3.0.8-25 |