| Summary: | SELinux is preventing /sbin/runuser from write access on the key Unknown | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dwalsh, itamar, jeff |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-07 14:30:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I'm going to reassign this to selinux-policy-targeted to get some feedback from the selinux devs. The fix is probably going to need to be in the selinux policy anyway as the asterisk package doesn't contain any selinux-specific stuff. I have no problem adding this, although I am not sure what runuser is doing with it. allow logrotate_t self:key manage_key_perms; |
During the weekly logrotate cron job for asterisk, and using selinux-policy-targeted-3.9.16-30.fc15.noarch, I receive the following AVC. Unfortunately, I am not sure what it is trying to do. This system is in permissive mode. Raw Audit Messages type=AVC msg=audit(1309681651.349:19653): avc: denied { write } for pid=5899 comm="runuser" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=key type=SYSCALL msg=audit(1309681651.349:19653): arch=i386 syscall=keyctl success=yes exit=0 a0=8 a1=fffffffc a2=fffffffd a3=1e4 items=0 ppid=5898 pid=5899 auid=0 uid=496 gid=484 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2058 comm=runuser exe=/sbin/runuser subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash: runuser,logrotate_t,logrotate_t,key,write audit2allow #============= logrotate_t ============== allow logrotate_t self:key write; audit2allow -R #============= logrotate_t ============== allow logrotate_t self:key write;