Bug 887880
Summary: | SELinux is preventing /usr/sbin/logrotate from using the 'sys_admin' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dean Hunter <deanhunter> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 18 | CC: | dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | abrt_hash:d96ca7d61cd4bd0d80ae4e86a6c5aefef1b442257486709c55c1fe6bba35971e | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-01-11 23:13:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dean Hunter
2012-12-17 14:29:20 UTC
[root@server ~]# yum list installed selinux-policy* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages selinux-policy.noarch 3.11.1-62.fc18 @updates-testing selinux-policy-devel.noarch 3.11.1-62.fc18 @updates-testing selinux-policy-doc.noarch 3.11.1-62.fc18 @updates-testing selinux-policy-targeted.noarch 3.11.1-62.fc18 @updates-testing [root@server ~]# yum list installed tomcat* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages tomcat.noarch 7.0.33-2.fc18 @updates-testing tomcat-el-2.2-api.noarch 7.0.33-2.fc18 @updates-testing tomcat-jsp-2.2-api.noarch 7.0.33-2.fc18 @updates-testing tomcat-lib.noarch 7.0.33-2.fc18 @updates-testing tomcat-servlet-3.0-api.noarch 7.0.33-2.fc18 @updates-testing tomcat6-servlet-2.5-api.noarch 6.0.35-5.fc18 @fedora tomcatjss.noarch 7.0.0-3.fc18 @fedora [root@server ~]# yum list installed logrotate Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages logrotate.x86_64 3.8.2-1.fc18 @anaconda [root@server ~]# Please change the Severity of this bug report to high from the ABRT default of unspecified. Checking my records, this system was last rebuilt Tue, Dec 11 2012 23:57:11, including ipa-server-install. I know it was reooted several times on the 12th and everything was working then without any AVC errors as I was checking selinux-policy.noarch 3.11.1-62.fc18 to make sure it correct previously reported errors. The only changes in the server between then and now have been the result of yum update as I am looking for selinux-policy.noarch 3.11.1-65.fc18 to correct another previously reported error. This looks like logrotate attempted to do the clone syscall and was successful even though the Avc was generated? I have no idea why it would be executing the clone syscall. Have you seen this repeatedly happen? Yes, it is repeating. [root@server ~]# ausearch -m AVC | grep logrotate type=SYSCALL msg=audit(1355648762.022:2436): arch=c000003e syscall=56 success=yes exit=29422 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.022:2436): avc: denied { sys_admin } for pid=29421 comm="logrotate" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.023:2437): arch=c000003e syscall=56 success=yes exit=29423 a0=1200011 a1=0 a2=0 a3=7f677905fa10 items=0 ppid=29421 pid=29422 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.023:2437): avc: denied { sys_admin } for pid=29422 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.605:2439): arch=c000003e syscall=56 success=yes exit=29440 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.605:2439): avc: denied { sys_admin } for pid=29421 comm="logrotate" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.607:2440): arch=c000003e syscall=56 success=yes exit=29441 a0=1200011 a1=0 a2=0 a3=7f5e7572ca10 items=0 ppid=29421 pid=29440 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.607:2440): avc: denied { sys_admin } for pid=29440 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.696:2441): arch=c000003e syscall=56 success=yes exit=29451 a0=1200011 a1=0 a2=0 a3=7f148314aa10 items=0 ppid=29421 pid=29450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.696:2441): avc: denied { sys_admin } for pid=29450 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.696:2442): arch=c000003e syscall=56 success=yes exit=29452 a0=1200011 a1=0 a2=0 a3=7f148314aa10 items=0 ppid=29421 pid=29450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.696:2442): avc: denied { sys_admin } for pid=29450 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.697:2443): arch=c000003e syscall=56 success=yes exit=29453 a0=1200011 a1=0 a2=0 a3=7f148314aa10 items=0 ppid=29421 pid=29450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.697:2443): avc: denied { sys_admin } for pid=29450 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.698:2444): arch=c000003e syscall=56 success=yes exit=29454 a0=1200011 a1=0 a2=0 a3=7f148314aa10 items=0 ppid=29421 pid=29450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.698:2444): avc: denied { sys_admin } for pid=29450 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.926:2445): arch=c000003e syscall=56 success=yes exit=29459 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.926:2445): avc: denied { sys_admin } for pid=29421 comm="logrotate" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.927:2446): arch=c000003e syscall=56 success=yes exit=29460 a0=1200011 a1=0 a2=0 a3=7fe9c404ca10 items=0 ppid=29421 pid=29459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.927:2446): avc: denied { sys_admin } for pid=29459 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648762.928:2447): arch=c000003e syscall=56 success=yes exit=29461 a0=1200011 a1=0 a2=0 a3=7fe9c404ca10 items=0 ppid=29459 pid=29460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648762.928:2447): avc: denied { sys_admin } for pid=29460 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648763.201:2448): arch=c000003e syscall=56 success=yes exit=29462 a0=1200011 a1=0 a2=0 a3=7fe9c404ca10 items=0 ppid=29421 pid=29459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648763.201:2448): avc: denied { sys_admin } for pid=29459 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648763.356:2449): arch=c000003e syscall=56 success=yes exit=29471 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648763.356:2449): avc: denied { sys_admin } for pid=29421 comm="logrotate" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648763.357:2450): arch=c000003e syscall=56 success=yes exit=29472 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648763.357:2450): avc: denied { sys_admin } for pid=29421 comm="logrotate" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648763.359:2451): arch=c000003e syscall=56 success=yes exit=29473 a0=1200011 a1=0 a2=0 a3=7fb0da00ca10 items=0 ppid=29421 pid=29472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648763.359:2451): avc: denied { sys_admin } for pid=29472 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648763.359:2452): arch=c000003e syscall=56 success=yes exit=29474 a0=1200011 a1=0 a2=0 a3=7fb0da00ca10 items=0 ppid=29472 pid=29473 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648763.359:2452): avc: denied { sys_admin } for pid=29473 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648763.360:2453): arch=c000003e syscall=56 success=yes exit=29475 a0=1200011 a1=0 a2=0 a3=7fb0da00ca10 items=0 ppid=29421 pid=29472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648763.360:2453): avc: denied { sys_admin } for pid=29472 comm="sh" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1355648763.361:2454): arch=c000003e syscall=56 success=yes exit=29476 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355648763.361:2454): avc: denied { sys_admin } for pid=29421 comm="logrotate" capability=21 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability [root@server ~]# Added dontaudit. Fixed in selinux-policy-3.11.1-67.fc18.noarch selinux-policy-3.11.1-67.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-67.fc18 Package selinux-policy-3.11.1-67.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-67.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20813/selinux-policy-3.11.1-67.fc18 then log in and leave karma (feedback). After applying update selinux-policy.noarch 3.11.1-67.fc18 the httpd logs were rotated without SELinux alerts. Thank you for your assistance. Please update karma selinux-policy-3.11.1-67.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. |