Bug 427274

Summary: logrotate fails to preserve SELinux file contexts
Product: [Fedora] Fedora Reporter: Paul Howarth <paul>
Component: logrotateAssignee: Tomas Smetana <tsmetana>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: acmaeey, arnaud.mombrial, ben, pekkas
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.7.6-2.1.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-15 22:52:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Howarth 2008-01-02 18:16:30 UTC 
Description of problem:
The empty log files created after a logrotate run have (at least in /var/log)
the default context var_log_t rather than any specific file context that might
be required, e.g. faillog_t for /var/log/btmp, rpm_log_t for /var/log/rpmpkgs.

Version-Release number of selected component (if applicable):
logrotate-3.7.6-1.3.fc8

How reproducible:
Easy

Steps to Reproduce:
1. Install Fedora 8 with a default config
2. Wait for logrotate to do its stuff
3. See the SELinux denials that result, e.g.

type=AVC msg=audit(1199231495.982:35629): avc:  denied  { append } for 
pid=30802 comm="sshd" name="btmp" dev=dm-3 ino=1212485
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file
Comment 1 Ben Webb 2008-01-03 00:09:15 UTC 
Same problem on my systems (also F8, i386 and x86_64). Looks also like bug
#427150 is the same issue.
Comment 2 Tomas Smetana 2008-01-03 08:33:45 UTC 
I have examined the files on my desktop and they happen to have also wrong
contexts.  I see no AVC messages though...  Thanks for reporting.
Comment 3 Paul Howarth 2008-01-03 08:48:53 UTC 
(In reply to comment #2)
> I have examined the files on my desktop and they happen to have also wrong
> contexts.  I see no AVC messages though...  Thanks for reporting.

Your desktop probably doesn't have an Internet-accessible ssh daemon getting
pounded by script kiddies and generating login failures, hence no AVCs.
Comment 4 Daniel Walsh 2008-01-03 15:19:46 UTC 
*** Bug 427150 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2008-01-11 22:04:01 UTC 
logrotate-3.7.6-2.1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update logrotate'
Comment 6 Tomas Smetana 2008-01-15 06:52:52 UTC 
*** Bug 428500 has been marked as a duplicate of this bug. ***
Comment 7 Fedora Update System 2008-01-15 22:52:19 UTC 
logrotate-3.7.6-2.1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.