| Summary: | SELinux is preventing logcheck from writing in /var/lib/logcheck | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matthias Runge <mrunge> | ||||||
| Component: | logcheck | Assignee: | Matthias Runge <mrunge> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl, mrunge | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | logcheck-1.3.14-5.fc16 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-01-05 08:22:53 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 768805 | ||||||||
| Attachments: |
|
||||||||
This should work. $ matchpathcon /var/lib/logcheck /var/lib/logcheck system_u:object_r:logwatch_cache_t:s0 What does this command show you? Or did you re-create this directory? You will need to run $ restorecon -R -v /var/lib/logcheck Indeed, this is shown. I didn't re-create this dir. Still selinux prevents logcheck from running correctly. I found it necessary to run all of the above rules. Could you attach AVC msgs which were needed for your local policy? Created attachment 550662 [details]
audit.log filterd by denied
off course! I had to switch on logging all messages, so this log is some lengthy. If all of these files are in /var/lib/logcheck, then who ever is creating this directory(most likely an init script) is creating it with the wrong label. Probably needs to run restorecon after the creation. It looks like these libraries are being created in the post install script. They should be executing restorecon. Created attachment 550721 [details]
Please add this patch to your spec file to make sure the directories you are creating are created with the correct label.
Oh, great! This fixes this issue for me. Thanks to both of you! Are you going to push a fixed version of logcheck? logcheck-1.3.14-5.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/logcheck-1.3.14-5.fc16 I already did that, but forgot to reference this bug number in the update. Thank you for the heads up. logcheck-1.3.14-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
logcheck is a program, which scans through log files, mailing unusual activity. It needs to write in /var/lib/logcheck. I think, the following rules should go into selinux-policy: Installing this rule makes logcheck to work for me, where selinux prevented it from running. module local 1.0; require { type logwatch_mail_t; type semanage_t; type security_t; type logwatch_t; type setfiles_t; type var_lib_t; class process { siginh noatsecure rlimitinh }; class dir { write add_name }; class file { read write create open }; } #============= logwatch_t ============== allow logwatch_t logwatch_mail_t:process { siginh rlimitinh noatsecure }; allow logwatch_t security_t:file read; allow logwatch_t var_lib_t:dir { write add_name }; allow logwatch_t var_lib_t:file create; #!!!! The source type 'logwatch_t' can write to a 'file' of the following types: # logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t allow logwatch_t var_lib_t:file { write read open }; Thanks!