Bug 799826

Summary: SELinux policy missing for /root/.my.cnf for use with /etc/logrotate.d/mysqld
Product: [Fedora] Fedora Reporter: Scott Shambarger <scott-fedora>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh, uckelman
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-84.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-22 03:35:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Scott Shambarger 2012-03-05 07:24:43 UTC 
Description of problem:
mysql logrotate unable to flush-logs because of missing selinux policy

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-75
mysql-server-5.5.20-1
logrotate-3.8.0-3

How reproducible:
Whenever log rotate cron runs

Steps to Reproduce:
1. Install mysqld
2. Create /root/.my.cnf with login details for mysqladmin (user & password entries)
3. Install logrotate
4. Enable cron
5. Enable selinux
  
Actual results:
logrotate fails in mysqld script with 'mysqladmin ping':
mysqladmin: connect to server at 'localhost' failed

Expected results:
logrotate for mysqld succeeds, and 'mysqladmin flush-logs' runs and new entries go to new log files

Additional info:
/root/.my.cnf has fcontext admin_home_t by default, and logrotate has scontext of logrotate_t, which is not permitted getattr on admin_home_t.

Either .my.cnf needs a new context, or an additional allow rule should be added so that the logrotate script /etc/logrotate.d/mysqld can use the login details in /root/.my.cnf when /usr/bin/mysqladmin executes ping & flush-logs.
Comment 1 Miroslav Grepl 2012-03-05 09:30:38 UTC 
It should be fixed in selinux-policy-targeted-3.10.0-76

You can update using

$ yum update selinux-policy-targeted --enablerepo=updates-testing
Comment 2 Scott Shambarger 2012-03-07 19:16:53 UTC 
Installed 3.10.0-78 (which yum update gave me) and tested on last night's logrotate, still received a denial:

avc:  denied  { getattr } for  pid=18817 comm="mysqladmin" path="/root/.my.cnf" dev=dm-0 ino=3932200 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_home_t:s0 tclass=file
Comment 3 Miroslav Grepl 2012-03-08 09:35:11 UTC 
It was added to the latest policy which is available from koji for now.
Comment 4 Scott Shambarger 2012-03-12 20:31:31 UTC 
3.10.0-79 appears to have resolved the issue.  I no longer receive the denial for /etc/logrotate.d/mysqld.
Comment 5 Scott Shambarger 2012-03-12 20:47:31 UTC 
Correction... the denial is not longer logged, however the postrotate script still fails (output from cron):

/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
error: error running non-shared postrotate script for /var/log/mysqld.log of '/var/log/mysqld.log '

So mysqld is not performing flush-logs correctly...
Comment 6 Miroslav Grepl 2012-03-13 08:21:16 UTC 
Is this SELinux issue? Does it work in permissive mode?
Comment 7 Scott Shambarger 2012-03-13 12:19:00 UTC 
Yes, if I setenforce 0 and let cron run logrotate for mysqld, the logs are rotated and compressed as expected, no error is reported.

Performing the same with setenforce 1 results in the error above, and the rotated log is not compressed (I'm guessing as a result of the script error).

... both with the same initial conditions.
Comment 8 Daniel Walsh 2012-03-13 13:27:33 UTC 
Scott 

Can you try to rotate them after executing

semodule -DB

Which will disable dontaudit rules.

Then grab avc's related to logrotate.

Turn back on dontaudit rules with

semodule -B
Comment 9 Scott Shambarger 2012-03-13 14:22:19 UTC 
Here's the denial:

avc:  denied  { getattr } for  pid=2292 comm="mysqladmin" path="/root/.my.cnf" dev=dm-0 ino=3932200 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_home_t:s0 tclass=file
Was caused by:
                Unknown - should be dontaudit'd by active policy
Comment 10 Scott Shambarger 2012-03-13 14:30:40 UTC 
Actually, re-ran with setenforce 0 to get all the denials:

avc:  denied  { open } for  pid=2782 comm="mysqladmin" name=".my.cnf" dev=dm-0 ino=3932200 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_home_t:s0 tclass=file

avc:  denied  { read } for  pid=2782 comm="mysqladmin" name=".my.cnf" dev=dm-0 ino=3932200 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mysqld_home_t:s0 tclass=file
Comment 11 Daniel Walsh 2012-03-13 15:45:00 UTC 
Miroslav you need to back port changes from logrotate in f17.

	mysql_read_home_content(logrotate_t)
Comment 12 Miroslav Grepl 2012-03-13 21:04:09 UTC 
$ git log f16
commit d88e3a72eeefa0b97a559edac09c79060d1c4764
Author: Miroslav Grepl <mgrepl>
Date:   Tue Mar 13 23:03:38 2012 +0000

    Allow logrotate to read mysql home content
Comment 13 Scott Shambarger 2012-03-13 21:22:05 UTC 
Not sure how to see the diffs in the commit, but you might also want to remove the "don't audit" for the above errors (if appropriate) to ease tracking down similar issues in the future :)
Comment 14 Miroslav Grepl 2012-03-14 09:13:05 UTC 
You can check it on

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=shortlog;h=refs/heads/f16
Comment 15 Scott Shambarger 2012-03-15 02:46:51 UTC 
Hmm... looks like the f16 tree hasn't been updated in over a month, and a search for the commit (even on the master branch) doesn't return any results.
Comment 16 Miroslav Grepl 2012-03-15 07:22:04 UTC 
Updated.
Comment 17 Scott Shambarger 2012-04-17 17:29:38 UTC 
Tried this with selinux-policy-targeted-3.10.0-83, and it appears fixed.  logrotate correctly flushed mysqld's logs when run from crond last night (had to re-enable log rotation which was disabled in a recent mysql update).

Bug appears fixed, looking forward to seeing the package in testing :)
Comment 18 Fedora Update System 2012-04-18 12:53:12 UTC 
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 19 Fedora Update System 2012-04-22 03:35:21 UTC 
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.