Bug 728405
| Summary: | Can't rotate audit logs with logrotate | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robin Powell <rlpowell> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl, notting, sgrubb |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.16-48.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-04 02:33:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Robin Powell
2011-08-05 02:12:18 UTC
Not sure if we want allow this by default for logrotate. That is fine, but it is not something we want to add to policy. I figured there was a chance of that, but that you might want to make it optional somehow (a boolean?). If not, I'll bug the auditd people, because I find the current state pretty lame. -Robin Reassigning to audit. We could allow this but there is problems in that the audit log is covered by Government standards about how it can be handled. I will let them say whether or not they want to allow this. Let me clarify, then: there are two options here; one is to do the logrotate thing, but the other is to have auditd itself rotate in a time-based fashion rather than a size-based one. I assume the latter would be within the scope of the standards?, but more work. And all of this is just me whining :), because having the log files I'm watching go away at random times is really confusing; if it doesn't work for y'all, I'll certainly drop it. It's a nice-to-have for me, is all. -Robin If you are using logrotate, you must have it issue "service auditd rotate". Then you are free to grab and move logs. I think several people have this working on the linux-audit mail list. *Ooooooh*. That's a very different way entirely. I just added this to cron for testing: * * * * * /sbin/service auditd rotate And it works, but reports an irrelevant error about not being able to open /dev/stderr, which can be fixed like this: allow initrc_t crond_t:fifo_file open; That's entirely workable; thank you very much. Passing this back to selinux-policy, as I believe that selinux change to be a tiny tweak and not contentious. -Robin Why would initrc_t be opening a fifo_file from crond_t? You and your perfectly reasonable questions! :) Here's two emails, with and without the change; I think they completely answer the question, except for the "why is service trying to open /dev/stderr?" part, to which I do not know the answer. Date: Wed, 10 Aug 2011 04:04:02 -0700 From: Cron Daemon <root.org> To: postmaster Subject: Cron <root@morji> /sbin/service auditd rotate Rotating logs: [ OK ] Date: Wed, 10 Aug 2011 04:04:02 -0700 From: Cron Daemon <root.org> To: postmaster Subject: Cron <root@vrici> /sbin/service auditd rotate /etc/init.d/functions: line 58: /dev/stderr: Permission denied Rotating logs: ^[[60G[ OK ] Note that everything works fine in both cases. -Robin
if [ -z "${CONSOLETYPE:-}" ]; then
if [ -r "/dev/stderr" ]; then
CONSOLETYPE="$(/sbin/consoletype < /dev/stderr 2>/dev/null)"
else
CONSOLETYPE="$(/sbin/consoletype 2>/dev/null)"
fi
fi
Any idea what is going on here? I would figure you would redirect /dev/null?
CONSOLETYPE="$(/sbin/consoletype < /dev/null 2>/dev/null)"
consoletype reads its stdin to determine what sort of console is attached. However, this code controls what sort of things we *output* to the terminal, so it reads from /dev/stderr to determine what console type that is. Miroslav lets add optional_policy(` cron_read_pipes(initrc_t) ') (In reply to comment #12) > Miroslav lets add > > optional_policy(` > cron_read_pipes(initrc_t) > ') Fixed in F15 policy. I'm not seeing this fix as of 3.9.16-37.fc15 ; should I be? -Robin Fixed in selinux-policy-3.9.16-39.fc15 selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 Package selinux-policy-3.9.16-39.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 then log in and leave karma (feedback). This is still broken in the same way as https://bugzilla.redhat.com/show_bug.cgi?id=736225 : it works until I disable or remove unconfined. -Robin selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. As I said just above, this isn't fixed in 39. It *does* appear to be fixed in version 41, however. -Robin selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15 Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |