Bug 475067
Summary: | logrotate and squid | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ignacio Vazquez-Abrams <ivazqueznet> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 10 | CC: | dwalsh, goeran, jkubin, mgrepl, vchepkov | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-05-25 11:29:57 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Ignacio Vazquez-Abrams
2008-12-07 09:09:14 UTC
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.5.13-33.fc10 Created attachment 328158 [details]
another denial, this time failing to read squid.conf in logrotate context
I'm seeing a similar denial with selinux-policy-3.5.13-34.fc10.noarch
This time it looks like squid is trying to read its squid.conf file while running in the logrotate security context.
Running restorecon -v /etc/squid/squid.conf does not report any change.
Miroslav F10 should revert policy back to optional_policy(` squid_domtrans(logrotate_t) ') As a workaround I added "rotate" function in /etc/rc.d/init.d/squid script, and call it from logrotate instead. Fixed in selinux-policy-3.5.13-39.fc10.noarch Vadym, Doesn't /etc/rc.d/init.d/squid reload work? Or does it need something different? reload executes 'squid -k reconfigure' which causes SIGHUP to be sent. squid -k rotate sends SIGUSR1. I haven't checked the code, but I assume it's different, otherwise why have two options? Ok, sounds reasonable. Might want to submit a patch to squid package. I still got this AVC type=AVC msg=audit(1232269357.369:137956): avc: denied { read } for pid=9330 comm="squid" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:squid_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir Miroslav add fs_list_inotify(squid_t) to F10 policy. Vadm, you can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.p Fixed in selinux-policy-3.5.13-40.fc10.noarch This is working fine for me. Does that mean I could close this bug, or is that supposed to be done by the reporter? https://fedoraproject.org/wiki/BugZappers/BugStatusWorkFlow isn't quite clear, at least not to me. If you verify the bug is fixed, you can close it. If the Reporter does not agree he can reopen it, Thanks for confirming. |