Bug 703434

Summary: SELinux is preventing /usr/sbin/logrotate from 'read' accesses on the directory /.
Product: [Fedora] Fedora Reporter: Hicham HAOUARI <hicham.haouari>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 14CC: dwalsh, hicham.haouari, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:faa1c1dd0d9d465f5b53076433a687a30812b3a6570697eab8207295e021108d
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-11 18:14:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Hicham HAOUARI 2011-05-10 10:44:01 UTC 
SELinux is preventing /usr/sbin/logrotate from 'read' accesses on the directory /.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow logrotate to have read access on the  directory
Then you need to change the label on /
Do
# semanage fcontext -a -t FILE_TYPE '/'
where FILE_TYPE is one of the following: logrotate_t, varnishlog_log_t, sysctl_crypto_t, var_lock_t, bin_t, cert_t, tmp_t, usr_t, user_home_dir_t, abrt_t, lib_t, logrotate_var_lib_t, root_t, usr_t, device_t, devpts_t, locale_t, logrotate_tmp_t, etc_t, logfile, pidfile, proc_t, device_t, named_cache_t, etc_t, httpd_config_t, acct_data_t, textrel_shlib_t, security_t, munin_etc_t, var_spool_t, mysqld_etc_t, var_lib_t, domain, var_run_t, abrt_var_cache_t, var_log_t, net_conf_t, inotifyfs_t, sysctl_kernel_t, mailman_log_t, nscd_var_run_t. 
Then execute: 
restorecon -v '/'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that logrotate should be allowed read access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:mnt_t:s0
Target Objects                / [ dir ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           logrotate-3.7.9-2.fc14
Target RPM Packages           filesystem-2.4.35-1.fc14
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.i686
                              #1 SMP Mon Feb 7 07:04:18 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Mon 04 Apr 2011 01:12:02 PM WEST
Last Seen                     Tue 10 May 2011 11:42:03 AM WEST
Local ID                      dd04286f-5e27-41b4-bb28-0818635275c4

Raw Audit Messages
type=AVC msg=audit(1305024123.564:22215): avc:  denied  { read } for  pid=18870 comm="logrotate" name="/" dev=sda1 ino=2 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir


type=SYSCALL msg=audit(1305024123.564:22215): arch=i386 syscall=open success=no exit=EACCES a0=8052ea2 a1=8000 a2=0 a3=a items=0 ppid=18868 pid=18870 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Hash: logrotate,logrotate_t,mnt_t,dir,read

audit2allow

#============= logrotate_t ==============
allow logrotate_t mnt_t:dir read;

audit2allow -R

#============= logrotate_t ==============
allow logrotate_t mnt_t:dir read;
Comment 1 Miroslav Grepl 2011-05-11 08:17:17 UTC 

*** This bug has been marked as a duplicate of bug 703437 ***
Comment 2 Hicham HAOUARI 2011-07-08 19:21:43 UTC 
Still having that avc with : selinux-policy-3.9.7-42.fc14.noarch





SELinux is preventing /usr/sbin/logrotate from read access on the directory /.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow logrotate to have read access on the  directory
Then you need to change the label on /
Do
# semanage fcontext -a -t FILE_TYPE '/'
where FILE_TYPE is one of the following: sysctl_kernel_t, sysctl_crypto_t, mailman_log_t, logrotate_t, abrt_t, lib_t, root_t, varnishlog_log_t, usr_t, var_lock_t, device_t, bin_t, cert_t, etc_t, tmp_t, usr_t, user_home_dir_t, logrotate_var_lib_t, textrel_shlib_t, device_t, devpts_t, locale_t, logrotate_tmp_t, etc_t, logfile, pidfile, proc_t, named_cache_t, httpd_config_t, acct_data_t, var_run_t, security_t, munin_etc_t, var_spool_t, mysqld_etc_t, var_lib_t, domain, abrt_var_cache_t, var_log_t, net_conf_t, inotifyfs_t, nscd_var_run_t. 
Then execute: 
restorecon -v '/'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that logrotate should be allowed read access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:mnt_t:s0
Target Objects                / [ dir ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           logrotate-3.7.9-2.fc14
Target RPM Packages           filesystem-2.4.35-1.fc14
Policy RPM                    selinux-policy-3.9.7-42.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux localhost.localdomain 2.6.35.13-92.fc14.i686
                              #1 SMP Sat May 21 17:39:42 UTC 2011 i686 i686
Alert Count                   4
First Seen                    Wed 22 Jun 2011 03:20:02 PM WEST
Last Seen                     Fri 08 Jul 2011 08:17:02 PM WEST
Local ID                      10d08932-839c-4598-a0be-e04ea2eea2a4

Raw Audit Messages
type=AVC msg=audit(1310152622.164:43): avc:  denied  { read } for  pid=3471 comm="logrotate" name="/" dev=sda1 ino=2 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir


type=SYSCALL msg=audit(1310152622.164:43): arch=i386 syscall=open success=no exit=EACCES a0=8052ea2 a1=8000 a2=0 a3=a items=0 ppid=3469 pid=3471 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Hash: logrotate,logrotate_t,mnt_t,dir,read

audit2allow

#============= logrotate_t ==============
allow logrotate_t mnt_t:dir read;

audit2allow -R

#============= logrotate_t ==============
allow logrotate_t mnt_t:dir read;
Comment 3 Hicham HAOUARI 2011-07-11 13:54:29 UTC 
@Miroslav Grepl :

Any comment ?
Comment 4 Daniel Walsh 2011-07-11 18:14:09 UTC 
Hicham, please reopen the original bug not this one.

*** This bug has been marked as a duplicate of bug 703437 ***