| Summary: | SELinux is preventing /usr/sbin/logrotate from 'read' accesses on the None /root. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kevin Cameron <kc-bugzilla> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:cfbed32d702fe7d2445c180a54196f97e02e493fb9abac858f55cd63758b6f7a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-23 22:08:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Do you have log files installed in /root? Actually do you have /root as a symbolic link? Yes. My /root is a link: mojo:/%ls -l /root lrwxrwxrwx. 1 root root 14 Dec 4 11:35 /root -> RootExtra/root/ I did this because I have a hybrid SSD/Hard Disk configuration and I want to minimize writes to the SSD (which holds the "/" partition). I set this system up in early November 2011. This SELinux issue just started last week or so. Note that I've already filed bug 759920 regarding installs to SSDs. It is best if you add a custom policy then. Create a myroot.te #################################### cut #################################### policy_module(myroot,1.0) gen_require(` attribute domain; type admin_home_t; ') allow domain admin_home_t:lnk_file read_lnk_file_perms; ################################### cut ####################################### make -f /usr/share/selinux/devel/Makefile semodule -i myroot.pp |
libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.2.6-3.fc16.x86_64 reason: SELinux is preventing /usr/sbin/logrotate from 'read' accesses on the None /root. time: Wed 22 Feb 2012 11:21:34 AM PST description: :SELinux is preventing /usr/sbin/logrotate from 'read' accesses on the None /root. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that logrotate should be allowed read access on the root <Unknown> by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 :Target Context unconfined_u:object_r:admin_home_t:s0 :Target Objects /root [ None ] :Source logrotate :Source Path /usr/sbin/logrotate :Port <Unknown> :Host (removed) :Source RPM Packages logrotate-3.8.0-3.fc16.x86_64 :Target RPM Packages filesystem-2.4.44-1.fc16.x86_64 :Policy RPM selinux-policy-3.10.0-75.fc16.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.2.6-3.fc16.x86_64 #1 SMP Mon Feb 13 : 20:35:42 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen Wed 22 Feb 2012 11:21:01 AM PST :Last Seen Wed 22 Feb 2012 11:21:01 AM PST :Local ID 10b11be7-ff18-45cb-ad3e-6ae067822cc1 : :Raw Audit Messages :type=AVC msg=audit(1329938461.346:93): avc: denied { read } for pid=3339 comm="logrotate" name="root" dev=sda2 ino=65 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=lnk_filenode=(removed) type=SYSCALL msg=audit(1329938461.346:93): arch=c000003e syscall=2 success=no exit=-13 a0=76b3c0 a1=0 a2=76b3ca a3=19 items=0 ppid=3337 pid=3339 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) : : :Hash: logrotate,logrotate_t,admin_home_t,None,read : :audit2allowunable to open /etc/selinux/targeted/policy/policy.26: Permission denied : : :audit2allow -Runable to open /etc/selinux/targeted/policy/policy.26: Permission denied : :