Bug 885411

Summary: SELinux is preventing /usr/sbin/logrotate from read access on the directory z-push.
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, lvrabec, mcepl, mgrepl, redhat-bugzilla, redhat
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-24 17:19:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2012-12-09 08:00:18 UTC 
z-push (http://z-push.sourceforge.net/) is a server providing protocols of Microsoft Exchange Active Sync for some open source platforms (namely, Zarafa). It is distributed in rpmfusion.

SELinux is preventing /usr/sbin/logrotate from read access on the directory z-push.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that logrotate should be allowed read access on the z-push directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:httpd_sys_rw_content_t:s0
Target Objects                z-push [ dir ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          luther
Source RPM Packages           logrotate-3.7.8-15.el6.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-185.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     luther
Platform                      Linux luther 2.6.32-279.14.1.el6.i686 #1 SMP Mon
                              Oct 15 13:43:38 EDT 2012 i686 i686
Alert Count                   1
First Seen                    Sat Dec  8 04:01:20 2012
Last Seen                     Sat Dec  8 04:01:20 2012
Local ID                      46589906-20ce-49f4-a608-c18faabf3228

Raw Audit Messages
type=AVC msg=audit(1354935680.102:607): avc:  denied  { read } for  pid=14983 comm="logrotate" name="z-push" dev=dm-0 ino=1838986 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir


type=SYSCALL msg=audit(1354935680.102:607): arch=i386 syscall=open success=no exit=EACCES a0=bf855bd0 a1=98800 a2=ee7ff4 a3=0 items=0 ppid=14981 pid=14983 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=43 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Hash: logrotate,logrotate_t,httpd_sys_rw_content_t,dir,read

audit2allow

#============= logrotate_t ==============
allow logrotate_t httpd_sys_rw_content_t:dir read;

audit2allow -R

#============= logrotate_t ==============
allow logrotate_t httpd_sys_rw_content_t:dir read;
Comment 1 Robert Scheck 2012-12-09 11:59:30 UTC 
Duplicate of RHBZ #873885
Comment 2 Miroslav Grepl 2012-12-10 09:50:35 UTC 
Yes we labeled it as httpd_log_t which would fix this issue. But then there was a problem with httpd+write to this log file instead of append.
Comment 3 Fedora End Of Life 2013-04-03 19:33:29 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 4 Lukas Vrabec 2013-10-24 17:19:27 UTC 
$ audit2allow -i avc 


#============= logrotate_t ==============

#!!!! This avc is allowed in the current policy
allow logrotate_t httpd_sys_rw_content_t:dir read;