Bug 878757
| Summary: | allow logrotate_t to list_dir/read_file of admin_home_t | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Kaluža <jkaluza> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.4 | CC: | dwalsh, mmalik | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-01-15 09:02:54 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 878032 | ||||||
| Attachments: |
|
||||||
|
Description
Jan Kaluža
2012-11-21 07:22:20 UTC
Why are log files in /root? But I have no problem allowing this. I see what you mean, we probably have to make some decision where the log files can be and where not. I don't know why the reporter has log files in /root, but it used to work in RHEL5 and we should presume people were doing this. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Any chance to test it with the lastest policy builds? No problem. How does it look? Hm, sorry for delay, I though Milos comment meant he will test it. I can do it myself. What selinux-policy release should I use? With the latest -189.el6. Thank you. I have installed selinux-policy 3.7.19-191.el6 (I presume it should be fixed in this version too), but it does not work. I'm attaching part of audit log with the AVC. Created attachment 674590 [details]
audit.txt
Ok, I see we just added
> allow logrotate_t admin_home_t:dir { list_dir_perms };
These AVC are about file class.
So is there any new package I should try? selinux-policy-3.7.19-192.el6 changelog does not mention this. selinux-policy-3.7.19-192.el6 contains allow rules you need, please give it a try.
# sesearch -s logrotate_t -t admin_home_t -c file --allow -C
Found 1 semantic av rules:
allow logrotate_t admin_home_t : file { ioctl read getattr lock open } ;
# sesearch -s logrotate_t -t admin_home_t -c dir --allow -C
Found 2 semantic av rules:
allow logrotate_t file_type : dir { getattr search open } ;
allow logrotate_t admin_home_t : dir { ioctl read getattr lock search open }
#
I've talked with Miroslav about this and it looks it won't work until we grant logrotate "write" permission, but he thinks it's not good idea to do so. I think I've changed my opinion and I think we should declare that logrotate can rotate log files only in /var/log/ directory and not in /root. I would say having logs in /root directory is not standard anyway. Feel free to close this bug and thanks you for your help. |