Bug 887880

Summary:	SELinux is preventing /usr/sbin/logrotate from using the 'sys_admin' capabilities.
Product:	[Fedora] Fedora	Reporter:	Dean Hunter <deanhunter>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	18	CC:	dominick.grift, dwalsh, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	abrt_hash:d96ca7d61cd4bd0d80ae4e86a6c5aefef1b442257486709c55c1fe6bba35971e
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-01-11 23:13:58 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dean Hunter 2012-12-17 14:29:20 UTC

Description of problem:
SELinux is preventing /usr/sbin/logrotate from using the 'sys_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that logrotate should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           logrotate-3.8.2-1.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-62.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.6.10-4.fc18.x86_64 #1 SMP Tue
                              Dec 11 18:01:27 UTC 2012 x86_64 x86_64
Alert Count                   16
First Seen                    2012-12-16 03:06:02 CST
Last Seen                     2012-12-16 03:06:03 CST
Local ID                      b4a63c22-caa8-465c-9126-5c8c3821268d

Raw Audit Messages
type=AVC msg=audit(1355648763.361:2454): avc:  denied  { sys_admin } for  pid=29421 comm="logrotate" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1355648763.361:2454): arch=x86_64 syscall=clone success=yes exit=29476 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Hash: logrotate,logrotate_t,logrotate_t,capability,sys_admin

audit2allow

#============= logrotate_t ==============
allow logrotate_t self:capability sys_admin;

audit2allow -R

#============= logrotate_t ==============
allow logrotate_t self:capability sys_admin;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.10-5.fc18.x86_64
type:           libreport

Comment 1 Dean Hunter 2012-12-17 14:50:45 UTC

[root@server ~]# yum list installed selinux-policy*
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
selinux-policy.noarch                   3.11.1-62.fc18          @updates-testing
selinux-policy-devel.noarch             3.11.1-62.fc18          @updates-testing
selinux-policy-doc.noarch               3.11.1-62.fc18          @updates-testing
selinux-policy-targeted.noarch          3.11.1-62.fc18          @updates-testing
[root@server ~]# yum list installed tomcat*
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
tomcat.noarch                           7.0.33-2.fc18           @updates-testing
tomcat-el-2.2-api.noarch                7.0.33-2.fc18           @updates-testing
tomcat-jsp-2.2-api.noarch               7.0.33-2.fc18           @updates-testing
tomcat-lib.noarch                       7.0.33-2.fc18           @updates-testing
tomcat-servlet-3.0-api.noarch           7.0.33-2.fc18           @updates-testing
tomcat6-servlet-2.5-api.noarch          6.0.35-5.fc18           @fedora         
tomcatjss.noarch                        7.0.0-3.fc18            @fedora         
[root@server ~]# yum list installed logrotate
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
logrotate.x86_64                     3.8.2-1.fc18                      @anaconda
[root@server ~]# 

Please change the Severity of this bug report to high from the ABRT default of unspecified.

Comment 2 Dean Hunter 2012-12-17 16:25:56 UTC

Checking my records, this system was last rebuilt Tue, Dec 11 2012 23:57:11, including ipa-server-install. I know it was reooted several times on the 12th and everything was working then without any AVC errors as I was checking selinux-policy.noarch 3.11.1-62.fc18 to make sure it correct previously reported errors. The only changes in the server between then and now have been the result of yum update as I am looking for selinux-policy.noarch 3.11.1-65.fc18 to correct another previously reported error.

Comment 3 Daniel Walsh 2012-12-17 19:30:41 UTC

This looks like logrotate attempted to do the clone syscall and was successful even though the Avc was generated?


I have no idea why it would be executing the clone syscall.  

Have you seen this repeatedly happen?

Comment 4 Dean Hunter 2012-12-18 21:44:56 UTC

Yes, it is repeating.

[root@server ~]# ausearch -m AVC | grep logrotate
type=SYSCALL msg=audit(1355648762.022:2436): arch=c000003e syscall=56 success=yes exit=29422 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.022:2436): avc:  denied  { sys_admin } for  pid=29421 comm="logrotate" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.023:2437): arch=c000003e syscall=56 success=yes exit=29423 a0=1200011 a1=0 a2=0 a3=7f677905fa10 items=0 ppid=29421 pid=29422 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.023:2437): avc:  denied  { sys_admin } for  pid=29422 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.605:2439): arch=c000003e syscall=56 success=yes exit=29440 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.605:2439): avc:  denied  { sys_admin } for  pid=29421 comm="logrotate" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.607:2440): arch=c000003e syscall=56 success=yes exit=29441 a0=1200011 a1=0 a2=0 a3=7f5e7572ca10 items=0 ppid=29421 pid=29440 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.607:2440): avc:  denied  { sys_admin } for  pid=29440 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.696:2441): arch=c000003e syscall=56 success=yes exit=29451 a0=1200011 a1=0 a2=0 a3=7f148314aa10 items=0 ppid=29421 pid=29450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.696:2441): avc:  denied  { sys_admin } for  pid=29450 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.696:2442): arch=c000003e syscall=56 success=yes exit=29452 a0=1200011 a1=0 a2=0 a3=7f148314aa10 items=0 ppid=29421 pid=29450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.696:2442): avc:  denied  { sys_admin } for  pid=29450 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.697:2443): arch=c000003e syscall=56 success=yes exit=29453 a0=1200011 a1=0 a2=0 a3=7f148314aa10 items=0 ppid=29421 pid=29450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.697:2443): avc:  denied  { sys_admin } for  pid=29450 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.698:2444): arch=c000003e syscall=56 success=yes exit=29454 a0=1200011 a1=0 a2=0 a3=7f148314aa10 items=0 ppid=29421 pid=29450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.698:2444): avc:  denied  { sys_admin } for  pid=29450 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.926:2445): arch=c000003e syscall=56 success=yes exit=29459 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.926:2445): avc:  denied  { sys_admin } for  pid=29421 comm="logrotate" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.927:2446): arch=c000003e syscall=56 success=yes exit=29460 a0=1200011 a1=0 a2=0 a3=7fe9c404ca10 items=0 ppid=29421 pid=29459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.927:2446): avc:  denied  { sys_admin } for  pid=29459 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648762.928:2447): arch=c000003e syscall=56 success=yes exit=29461 a0=1200011 a1=0 a2=0 a3=7fe9c404ca10 items=0 ppid=29459 pid=29460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648762.928:2447): avc:  denied  { sys_admin } for  pid=29460 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648763.201:2448): arch=c000003e syscall=56 success=yes exit=29462 a0=1200011 a1=0 a2=0 a3=7fe9c404ca10 items=0 ppid=29421 pid=29459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648763.201:2448): avc:  denied  { sys_admin } for  pid=29459 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648763.356:2449): arch=c000003e syscall=56 success=yes exit=29471 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648763.356:2449): avc:  denied  { sys_admin } for  pid=29421 comm="logrotate" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648763.357:2450): arch=c000003e syscall=56 success=yes exit=29472 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648763.357:2450): avc:  denied  { sys_admin } for  pid=29421 comm="logrotate" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648763.359:2451): arch=c000003e syscall=56 success=yes exit=29473 a0=1200011 a1=0 a2=0 a3=7fb0da00ca10 items=0 ppid=29421 pid=29472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648763.359:2451): avc:  denied  { sys_admin } for  pid=29472 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648763.359:2452): arch=c000003e syscall=56 success=yes exit=29474 a0=1200011 a1=0 a2=0 a3=7fb0da00ca10 items=0 ppid=29472 pid=29473 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648763.359:2452): avc:  denied  { sys_admin } for  pid=29473 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648763.360:2453): arch=c000003e syscall=56 success=yes exit=29475 a0=1200011 a1=0 a2=0 a3=7fb0da00ca10 items=0 ppid=29421 pid=29472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648763.360:2453): avc:  denied  { sys_admin } for  pid=29472 comm="sh" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1355648763.361:2454): arch=c000003e syscall=56 success=yes exit=29476 a0=1200011 a1=0 a2=0 a3=7f84418a9a90 items=0 ppid=29419 pid=29421 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=146 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355648763.361:2454): avc:  denied  { sys_admin } for  pid=29421 comm="logrotate" capability=21  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
[root@server ~]#

Comment 5 Daniel Walsh 2012-12-19 14:35:32 UTC

Added dontaudit.

Fixed in selinux-policy-3.11.1-67.fc18.noarch

Comment 6 Fedora Update System 2012-12-21 10:31:49 UTC

selinux-policy-3.11.1-67.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-67.fc18

Comment 7 Fedora Update System 2012-12-21 20:02:09 UTC

Package selinux-policy-3.11.1-67.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-67.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20813/selinux-policy-3.11.1-67.fc18
then log in and leave karma (feedback).

Comment 8 Dean Hunter 2012-12-24 15:31:14 UTC

After applying update selinux-policy.noarch 3.11.1-67.fc18 the httpd logs were rotated without SELinux alerts.

Thank you for your assistance.

Comment 9 Daniel Walsh 2012-12-27 16:25:13 UTC

Please update karma

Comment 10 Fedora Update System 2013-01-11 23:14:00 UTC

selinux-policy-3.11.1-67.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.