Bug 447816
| Summary: | avc: denied { getattr } for comm="logrotate" path="/var/log/rpmpkgs" | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | rpm | Assignee: | Panu Matilainen <pmatilai> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 10 | CC: | jnovy, pmatilai, pnasrat, poelstra |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-12-18 19:06:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug has been triaged I can't reproduce this with selinux-policy-targeted-3.5.10-3.fc10.noarch Are you still seeing it? This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping There *was* a problem with the temp file being generated to /tmp and then moved to place. The temporary output file has been generated directly into /var/log to ensure correct context since late 2007 however... |
Description of problem: Interestingly, I'm seeing the following since selinux-policy-targeted-3.3.1-51, as far as I can remember. type=AVC msg=audit(1211166611.444:2946): avc: denied { getattr } for pid=15432 comm="logrotate" path="/var/log/rpmpkgs" dev=cciss/c0d0p2 ino=16 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file type=SYSCALL msg=audit(1211166611.444:2946): arch=40000003 syscall=196 success=yes exit=0 a0=82bed98 a1=bfc4b15c a2=2b8ff4 a3=82bf2e0 items=0 ppid=15430 pid=15432 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=496 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1211166611.446:2947): avc: denied { getattr } for pid=15432 comm="logrotate" path="/var/log/rpmpkgs" dev=cciss/c0d0p2 ino=16 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file type=SYSCALL msg=audit(1211166611.446:2947): arch=40000003 syscall=195 success=yes exit=0 a0=82bedb0 a1=bfc4bb40 a2=2b8ff4 a3=bfc4bb40 items=0 ppid=15430 pid=15432 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=496 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-51 How reproducible: Just execute /etc/cron.daily/rpm or wait until it is executed. Problem is IMHO the "/bin/mv "$tmpfile" /var/log/rpmpkgs". Either cat'ing the temporary file to there or conditional use of restorecon in the script, I would say. Actual results: AVC denied. Expected results: No AVC denied.