Bug 477860

Summary: Wrong selinux label for xferlog and rpmpkgs gzipped files
Product: [Fedora] Fedora Reporter: Gianluca Varisco <gvarisco>
Component: logrotateAssignee: Daniel Novotny <dnovotny>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dnovotny, dwalsh, jkubin, mgrepl, nobody, tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-31 12:31:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gianluca Varisco 2008-12-24 12:09:07 UTC 
Description of problem:

I executed sectool L3 tests and it reported these warnings:

+--------------------+
Warning: Mislabeled regular file '/var/log/xferlog-20081222.gz' found. Labeled as 'system_u:object_r:var_log_t:s0', should be 'system_u:object_r:xferlog_t:s0'.

Warning: Mislabeled regular file '/var/log/xferlog-20081223.gz' found. Labeled as 'system_u:object_r:var_log_t:s0', should be 'system_u:object_r:xferlog_t:s0'.

Warning: Mislabeled regular file '/var/log/xferlog-20081224.gz' found. Labeled as 'system_u:object_r:var_log_t:s0', should be 'system_u:object_r:xferlog_t:s0'.

Warning: Mislabeled regular file '/var/log/rpmpkgs-20081221.gz' found. Labeled as 'system_u:object_r:var_log_t:s0', should be 'system_u:object_r:cron_log_t:s0'.
+--------------------+

Wouldn't be better to have all these gzipped files (generated by logrotate) labeled as 'system_u:object_r:xferlog_t' (xferlog) and 'system_u:object_r:cron_log_t' (rpmpkgs)?


Version-Release number of selected component (if applicable):

selinux-policy-3.5.13-34.fc10.noarch
sectool-0.9.1-3.i386
Comment 1 Daniel Walsh 2008-12-27 11:59:38 UTC 
Actually the labeling might be wrong on these files since the confined domains really should not be able to write to these compressed files any longer they should be just labeled var_log_t.  But then again perhaps this would allow  a confined domain to read these files where before they were not allowed.  How do you get logrotate to create these compressed files?


We probably need to make logrote SELinux aware to get the behaviour you suggest.  It would need to call matchpathcon and find out the proper label of the file it is creating and then create the file with the right context.
Comment 2 Gianluca Varisco 2008-12-28 10:02:31 UTC 
(In reply to comment #1)
> Actually the labeling might be wrong on these files since the confined domains
> really should not be able to write to these compressed files any longer they
> should be just labeled var_log_t.  But then again perhaps this would allow  a
> confined domain to read these files where before they were not allowed.  How do
> you get logrotate to create these compressed files?
> 

There is /etc/logrotate.d/proftpd owned by proftpd-1.3.1-6.fc10 that contains these lines:

+-------------------------------------------+
/var/log/proftpd.log /var/log/xferlog {
    compress
    missingok
    notifempty
    sharedscripts
    postrotate
        test -f /var/lock/subsys/proftpd && /usr/bin/killall -HUP proftpd || :
    endscript
}
+-------------------------------------------+

> We probably need to make logrote SELinux aware to get the behaviour you
> suggest.  It would need to call matchpathcon and find out the proper label of
> the file it is creating and then create the file with the right context.

Yeah, that's could be the best solution right now. Let me know if you need me to attach there any other config file or test something.
Comment 3 Gianluca Varisco 2008-12-28 10:06:31 UTC 
/etc/logrotate.d/rpm is instead owned by rpm-4.6.0-0.rc1.8 and contains:

+------------------------------------------------+
/var/log/rpmpkgs {
    weekly
    notifempty
    missingok
}
+------------------------------------------------+
Comment 4 Daniel Walsh 2009-01-04 17:34:09 UTC 
logrotate should be maintaining the file context on the files that it rotates and compresses.
Comment 5 Daniel Novotny 2009-02-24 13:24:27 UTC 
hello Gianluca, I am not able to reproduce the problem: I installed proftpd and created /var/log/xferlog, but the gzipped files from running logrotate have the proper, xferlog_t , context... is there a simple way to reproduce the bug?
Comment 6 Gianluca Varisco 2009-03-08 21:21:42 UTC 
Hi Daniel,

I'll try to reproduce the problem in a new F10 system and will let you know the results.
Comment 7 Daniel Novotny 2009-03-27 13:32:39 UTC 
hello Gianluca,
bump: is this still a problem now, using latest selinux-policy update?
Comment 8 Gianluca Varisco 2009-03-31 12:22:25 UTC 
Daniel,

It seems OK now! compressed files now have all the same file context.

-rw-r-----  root   root    system_u:object_r:var_log_t:s0   proftpd.log
-rw-r-----  root   root    system_u:object_r:var_log_t:s0   proftpd.log-20090329.gz
-rw-r-----  root   root    system_u:object_r:var_log_t:s0   proftpd.log-20090330.gz
-rw-r-----  root   root    system_u:object_r:var_log_t:s0   proftpd.log-20090331.gz

-rw-r--r--  root   root    system_u:object_r:cron_log_t:s0  rpmpkgs
-rw-r--r--  root   root    system_u:object_r:cron_log_t:s0  rpmpkgs-20090315.gz
-rw-r--r--  root   root    system_u:object_r:cron_log_t:s0  rpmpkgs-20090322.gz
-rw-r--r--  root   root    system_u:object_r:cron_log_t:s0  rpmpkgs-20090329.gz


-rw-r--r--  root   root    system_u:object_r:xferlog_t:s0   xferlog
-rw-r--r--  root   root    system_u:object_r:xferlog_t:s0   xferlog-20090329.gz
-rw-r--r--  root   root    system_u:object_r:xferlog_t:s0   xferlog-20090330.gz
-rw-r--r--  root   root    system_u:object_r:xferlog_t:s0   xferlog-20090331.gz

Thanks for your prompt help! ;-)
Comment 9 Daniel Novotny 2009-03-31 12:31:23 UTC 
OK, thanks for your report, closing