Bug 334401
| Summary: | SELinux policyII | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Zdenek Kabelac <zkabelac> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | rh-bugzilla |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-10-23 16:01:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Why is tmpreaper reading /var/log? Is this normal behavior? Hi With Tomas Mraz we have probably concluded it might be eventually result of the package 'kismet' - thought I'm not sure as I'm not yet skilled enought in selinux - just reporting policy errors I can see. How come this is using tmpwatch and not logwatch to watch log files? [I assume you mean 'logrotate' but not 'logwatch'] kismet creates a new logfile set per session; rotating does not make sense there because this would rename files only but would not clean them up. In that case why not /var/run/kismet? We can add a label to the directory that kismet creates the log files in to allow tmpreaper to remove them. But I want to make sure that is the right thing to do. I would also like to get policy on kismet period. Especially since it claims to be a security package and it is potentially vulnerable to random network packets that it is collecting. Hmm as I can see now in my todays log - I got that one again - however now I'm
not sure what I was running at this time :(
But it is possible it is somehow connected with 'yum update'
btw my yum.log-20071015 has the time 10:36
here is the message:
SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /var/log (var_log_t).
Source Context: system_u:system_r:tmpreaper_t:s0Target
Context: system_u:object_r:var_log_t:s0Target Objects: /var/log [ dir
]Affected RPM Packages: filesystem-2.4.11-1.fc8 [target]Policy
RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS
Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost
Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count: 1First
Seen: Čt 18. říjen 2007, 10:22:18 CESTLast
Seen: Čt 18. říjen 2007, 10:22:18 CESTLocal
ID: cfae21d2-8501-475a-b24c-a42f28ac70b0Line Numbers: Raw Audit Messages :avc:
denied { getattr } for comm=tmpwatch dev=sda2 path=/var/log pid=4260
scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir
tcontext=system_u:object_r:var_log_t:s0
btw I've some more messages for my vmware running with my localhost nfs.
I'll make another report.
kismet creates logfiles which might be for interest after a reboot (which empties /var/run). Hence, /var/log/kismet seems to be a perfect choice for the logs. There should not be much difference for SELinux: just put the named label to /var/log/kismet instead of /var/run/kismet. Ok I added kismet policy. It will need some work. Please test it out and report back the avc's selinux-policy-3.0.8-25 |
Description of problem: Another part of my setroubleshoot log SELinux is preventing tmpwatch (tmpreaper_t) "read" to (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: None [ dir ]Affected RPM Packages: Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 3First Seen: Pá 12. říjen 2007, 10:45:45 CESTLast Seen: Út 16. říjen 2007, 11:28:52 CESTLocal ID: 2eddd4bc-5c9b-463b-81f2-341990ecfd43Line Numbers: Raw Audit Messages :avc: denied { read } for comm=tmpwatch dev=sda2 name=kismet pid=16519 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 ---------------------------------------------------- SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/log (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: /var/log [ dir ]Affected RPM Packages: tmpwatch-2.9.11-1 [application]filesystem-2.4.11-1.fc8 [target]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 5First Seen: Čt 11. říjen 2007, 20:19:38 CESTLast Seen: Út 16. říjen 2007, 11:28:52 CESTLocal ID: bdc377b3-3f56-427e-91c6-598954a23c68Line Numbers: Raw Audit Messages :avc: denied { getattr } for comm=tmpwatch dev=sda2 egid=0 euid=0 exe=/usr/sbin/tmpwatch exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/var/log pid=16519 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0 ----------------------------------- SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "setattr" to (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: None [ dir ]Affected RPM Packages: tmpwatch-2.9.11-1 [application]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 4First Seen: Čt 11. říjen 2007, 20:19:38 CESTLast Seen: Út 16. říjen 2007, 11:28:52 CESTLocal ID: 1a80e5cd-ac19-4430-b851-837ee5b21ab0Line Numbers: Raw Audit Messages :avc: denied { setattr } for comm=tmpwatch dev=sda2 egid=0 euid=0 exe=/usr/sbin/tmpwatch exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=kismet pid=16519 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0 ---------------------------------------- SummarySELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "search" to (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: None [ dir ]Affected RPM Packages: tmpwatch-2.9.11-1 [application]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-5.fc8 #1 SMP Wed Oct 10 19:25:16 EDT 2007 x86_64 x86_64Alert Count: 3First Seen: Pá 12. říjen 2007, 10:45:45 CESTLast Seen: Po 15. říjen 2007, 10:42:47 CESTLocal ID: 6e07d6fc-aecb-4d0c-99ed-136ace7e5c6dLine Numbers: Raw Audit Messages :avc: denied { search } for comm=tmpwatch dev=sda2 egid=0 euid=0 exe=/usr/sbin/tmpwatch exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=log pid=20441 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0 ------------------------------------ Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: