Bug 438184
Summary: | SELinux is preventing sendmail (system_mail_t) "append" to /var/rkhunter/tmp/rkhcronlog.wSLuzk5001 (var_t). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | long |
Component: | rkhunter | Assignee: | Kevin Fenzi <kevin> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | devrim, dwalsh, jkubin, tamaster |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-04-29 12:55:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
long
2008-03-19 16:13:07 UTC
Please put log files in a reasonable location like /var/log/rkhunter/ This is simple redirection of sendmail and will not prevent anything from working. rkhunter uses /var/rkhunter/tmp/ for all it's temp files... including this file which is part of it's email it's constructing for it's nightly cron job. It already puts it's log in /var/log/rkhunter.log I can change both or either of those if need be, but can't selinux handle the current setup? Note that rkhunter docs say never to use /tmp as your temp dir as that will leak information about a running rkhunter process. Thoughts? Ideas? Questions? Expansion of the comments in Comment #1? Well SELinux can handle this path, But it is an unusual path and not standard. /var/run/rkhunter should be a place for tmp files and any files that you do not care if they survice a reboot. /var/log/rkhunter for log files. /var/lib/rkhunter for files that rkhunter needs to write to and keep (Not temporary). This is the way almost every service application is coded. Then we can talk about writing SELinux policy for rkhunter. All very solid suggestions. I have made a first attempt at moving things around in the just tagged and built version: rkhunter-1.3.2-2.fc9 Dan: Can you check this version and see if there is any further improvement/changes I can make to make this app more selinux friendly? Thanks. Hey Dan. Have you had a chance to look over the current package? Anything I can do to modify the package to get it selinux friendly? Let me know... Well system_mail_t is allowed to append to log files so this problem should be fixed. I just installed the Fedora 9 package on my machine, and will watch for avc's. We looked into confining this application but it is way to intrusive to be confinable. :^) rkhunter-1.3.2-3.fc8 has been submitted as an update for Fedora 8 rkhunter-1.3.2-3.fc7 has been submitted as an update for Fedora 7 rkhunter-1.3.2-3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. rkhunter-1.3.2-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. |