Description of problem: SELinux is preventing logrotate from 'read' accesses on the directory /var/cache/dnf. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that logrotate should be allowed read access on the dnf directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep logrotate /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path logrotate Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-92.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.3-302.fc21.x86_64 #1 SMP Fri Sep 26 14:27:20 UTC 2014 x86_64 x86_64 Alert Count 2 First Seen 2014-11-11 03:14:01 GMT Last Seen 2014-11-12 03:23:01 GMT Local ID be676656-485c-44d5-a96b-fe72478ffba3 Raw Audit Messages type=AVC msg=audit(1415762581.835:2453): avc: denied { read } for pid=11897 comm="logrotate" name="dnf" dev="sda3" ino=281376 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.16.3-302.fc21.x86_64 type: libreport
*** Bug 1173233 has been marked as a duplicate of this bug. ***
Does anyone know why logrotate needs read rpm_var_cache dir?
Description of problem: this happened somewhere in background, I don't know when or how. I think it might have happened when running dnf as non-privileged user. # grep logrotate /var/log/audit/audit.log type=AVC msg=audit(1418382361.816:491): avc: denied { read } for pid=6456 comm="logrotate" name="dnf" dev="dm-0" ino=13252 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Thank you for your post. I'll wait also for logrotate guys. If they confirm this, I'll add dontaudit rule here.
Description of problem: Recent install of Fedora 21 Workstation. Not done much; installed Thunderbird, Keepassx. I ran yum update through muscle memory, maybe I should be running dnf? Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport
Description of problem: no idea, just idling Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Appears a short time after the system was started. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686+PAE type: libreport
That's really weird. logrotate shouldn't use /var/cache/dnf for rotating logs!
/var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } from /etc/logrotate.d/dnf
I have the same problem. Description of problem: SELinux is preventing logrotate from read access on the directory /var/cache/dnf. Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path logrotate Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-14 14:31:02 CET Last Seen 2014-12-14 14:31:02 CET Local ID a222f873-33d0-4a5b-87b1-17a758a1eaf9 Raw Audit Messages type=AVC msg=audit(1418563862.85:509): avc: denied { read } for pid=4548 comm="logrotate" name="dnf" dev="dm-1" ino=917797 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
Description of problem: No intervention from my part, it seems like a regular logrotate task. I got the notification from within Gnome Shell. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: User activity at the time of the alert: Browsing the web with Firefox, plus an active ssh session to a remote host. (a KVM guest running on the F21 host machine). Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Showed up the next morning... Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: I upgraded to Fedora 21 workstation a few days ago. SELinux is preventing logrotate access to the folder /var/cache/dnf. I don't know much about SELinux, or this /var/cache/dnf directory. In any case, I got an SELinux Alert, and such an alert should not be generated by default. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: I was simply using Google Chrome to edit Google Docs, like I have many times before, and received notification of this Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: used fedup to install Twenty One have logrotate run from cron Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
(In reply to Quentin Haas from comment #15) > Description of problem: > I was simply using Google Chrome to edit Google Docs, like I have many times > before, and received notification of this > > Version-Release number of selected component: > selinux-policy-3.13.1-99.fc21.noarch > > Additional info: > reporter: libreport-2.3.0 > hashmarkername: setroubleshoot > kernel: 3.17.6-300.fc21.x86_64 > type: libreport To add, I also used fedup to upgrade my Fedora 20 install to Fedora 21 a couple of days ago
Description of problem: I presume that cron is automatically running logrotate, since this error occurs every morning. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: /etc/logrotate.d/dnf contains entry for /var/cache/dnf/*/*/hawkey.log dnf-0.6.3-2.fc21.noarch selinux-policy-targeted-3.13.1-99.fc21.noarch Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport
Description of problem: SELinux complained that logrotate was trying to access /var/cache/dnf. I haven't touched any settings involving logrotate or this file. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
This is caused by change in dnf package (Bug 1149350), I'm reassigning this to selinux-policy to add selinux rule to fix AVC from Comment 10. If you think, the logs should not be in /var/cache/ or if you have some additional questions, please consult these with "dnf" package maintainers.
*** Bug 1173995 has been marked as a duplicate of this bug. ***
*** Bug 1173941 has been marked as a duplicate of this bug. ***
As pointed by Igor in Comment 9, dnf logrotate configuration file contains following: /var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } So it tries to rotate any hawkey.log in /var/cache/dnf subdirectories' subdirectories :).
Description of problem: This error just pops up automatically due to background activities, not due to activity caused by users. Logrotate wants to read cache of dnf. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
commit 8c58acae64e5f8f41d5ea01b9a11ad25e0da3802 Author: Lukas Vrabec <lvrabec> Date: Mon Dec 15 05:06:23 2014 -0500 Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)
Description of problem: Fedora 21 told me with an alert that SELinux forbade logrotate to do something. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Upgraded to F21 (nonproduct, KDE) from F20 At first boot, after some time I got this warning from selinux. I tried "restorecon" just in case the directory was mislabeled for some reason: # restorecon -Rv /var/cache/dnf/ # but as you can see it did not change anything Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-302.fc21.x86_64 type: libreport
Description of problem: I did nothing, just has system up and running. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: I got this error without triggering anything, all I know is that the system was idle for more than an hour, with firefox and Software opened. If this keeps repeating , I would be glared to help you with. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport
Description of problem: No interaction needed to reproduce this bug on my system. When logrotate runs from cron, the enclosed warning appears. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21
Description of problem: THis just occured when logrotate tried to do its think becuase of the crontab entry. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport
Description of problem: I was trying to fix a problem with VLC Player(RPM Fusion), I configured it so it can use a skin but it didn't work, probably an outdated skin file. I was creating/removing archives/files in the folder: /usr/share/vlc/skins2, the problem appeared during the process Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Esta alerta aparece luego de lanzar qbittorrentl, precisamente, cuando comenzó el intercambio de datos en dicho programa. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: A notification about error appeared during browsing internet with Google Chrome. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: just wait for logrotate to kick in. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Nothing done especialy. logrotate run automatically. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
(In reply to Fedora Update System from comment #32) > selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21. > https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21 This fixes it for me, karma left.
(In reply to Colin J Thomson from comment #39) > (In reply to Fedora Update System from comment #32) > > selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21. > > https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21 > > This fixes it for me, karma left. The same for me. Karma +1
Description of problem: Was just installing a game called robocraft in steam Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
(In reply to Lukas Slebodnik from comment #40) > (In reply to Colin J Thomson from comment #39) > > (In reply to Fedora Update System from comment #32) > > > selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21. > > > https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21 > > > > This fixes it for me, karma left. > > The same for me. > Karma +1 I'll just add that I believe the same. Since restarting after install at 17:54 GMT there were no error messages from SE Linux. For one hour I restarted with a Live DVD to test something else between 21:20 and 22:20. I think the preceeding 3 hours 25 minutes gave enough time for the scheduled task to complete which has been causing the error message.
Description of problem: dnf update Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: I did nothing. This problem occurs on its own from time to time, I guess when logrotate tries to rotate the dnf logs... Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport
Description of problem: I believe logrotate should be allowed access, as /etc/logrotate.d/dnf includes this record: /var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } so it is expected to crawl under /var/cache ... Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-302.fc21.x86_64 type: libreport
Description of problem: Just saw it pop up in the tray icon. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: SELinux warning produced when logrotate attempts regular rotation of logs in dnf cache directory. This is the default configuration of logrotate and SELinux as far as I know. Relevant block from /etc/logrotate.d/dnf : /var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } Steps to reproduce: - Verify that both SELinux and logrotate are installed in default configuration. (In my case, upgrade from Fedora 20.) - Wait for logrotate to check for hawkey logs inside /var/cache/dnf dir... Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Is this is about logrotate there is nothing that I as a user did at this time. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Didn't do anything. Just popped up in the middle of my session. I guess logrotate + dnf are not SELinux aware. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Happening after fedup upgrade from Fedora 20. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
I confirm comment #40 and comment #42, selinux-policy-3.13.1-103.fc21.noarch fixes the bug. Tnx
Description of problem: I got notified of this by SELinux Alert Browser: logrotate wants read access in /var/cache/dnf Happened after system update today Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: My laptop woke up from standby and I saw the SELinux Alert. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: I was using Google Chrome to listen to some music while programming in C in vim in gnome-terminal when I received a notification via the Gnome Shell that this SELinux alert occurred. I was not using dnf, nor have I used dnf. I turned my computer on not long ago and did check for updates via yum but there were none reported, with my last check yesterday. I have not encountered this issue previously, nor do I know the root cause of this SELinux alert. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Package selinux-policy-3.13.1-103.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-103.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-17044/selinux-policy-3.13.1-103.fc21 then log in and leave karma (feedback).
Description of problem: I don't now if logrotate should get access to /var/cache/dnf actually, but I regularly get a SELinux alert since some of the latest F21 updates (a few days ago). Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: triggered by cron Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Popped up all of a sudden! Firefox , Anjuta and file manger are opened! Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport
Description of problem: I just did write a job application letter in libreoffice writer, when the selinux message appeared. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.1-302.fc21.x86_64 type: libreport
I am wondering why we need an SELinux policy fix here. Should there be log files under /var/cache/dnf/* at all? Shouldn't the packaging policy mandate that log file be maintained in /var/log/* ?
(In reply to Subhendu Ghosh from comment #60) > I am wondering why we need an SELinux policy fix here. > > Should there be log files under /var/cache/dnf/* at all? > I don't like it either. > Shouldn't the packaging policy mandate that log file be maintained in > /var/log/* ? You can try to reopen BZ1149350. It was closed as not a bug.
It happened for me few days ago, and now with updated 'selinux-policy' type=AVC msg=audit(1418834043.147:466): avc: denied { read } for pid=3519 comm="logrotate" name="dnf" dev="dm-1" ino=2628754 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0 selinux-policy-3.13.1-103.fc21.noarch Do I need just to relabel /var/cache/dnf? (restorecon...)
Description of problem: Newly installed Fedora 21, no special config at all. It feels like a default policy isn't correctly configured and may be corrected to don't give new users "strange" messages. [root@ynos ~]# rpm -qa dnf* dnf-plugins-core-0.1.4-1.fc21.noarch dnf-0.6.3-2.fc21.noarch [root@ynos ~]# [root@ynos ~]# cat /etc/logrotate.d/dnf /var/log/dnf.log { missingok notifempty size 30k yearly create 0600 root root } /var/log/dnf.rpm.log { missingok notifempty size 30k yearly create 0600 root root } /var/log/dnf.plugin.log { missingok notifempty size 30k yearly create 0600 root root } /var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path logrotate Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux ynos.lagren.com 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-17 21:27:02 CET Last Seen 2014-12-17 21:27:02 CET Local ID 925aa451-506e-4416-88df-8fa5987e0ff0 Raw Audit Messages type=AVC msg=audit(1418848022.525:452): avc: denied { read } for pid=3048 comm="logrotate" name="dnf" dev="dm-1" ino=667428 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read /Tomas Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: (Not sure how to reproduce this. Came up with the log rotate action.) Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
selinux-policy-3.13.1-103.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Description of problem: logrotate runs regularly in the cron. It needs access to various files and directories to clean up old logs. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport
Description of problem: This happens after a "dnf update" operation. Not sure if SElinux should allow this interaction. Please review. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: I have no idea, what caused this, the notification just appeared out of nowhere. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Program executed automatically as I was away from my console. But this has never happened before. I recently upgraded from F20 -> F21. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Selinux denials in my happy little Fedora 21 world. Looks to be logrotate that misses something wrt. dnf Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Fixed with latest updates. Thank you.
Description of problem: I upgraded from F20 using fedup and --product=nonproduct and used a bit dnf while in Fedora 20 (never used it in F21) This logrotate is configured by the distribution, so I believe that this SELinux error should not happen. (I see it almost everyday) Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
restorecon -R -v /var/cache Should clear it up.
Description of problem: It just popped up. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: i´m unaware of the trigger, this mostly pops up after a few minutes logging into the system. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Logrotate runs in the cron. It will also trigger on reboot (anacron). Therefore you'll see the warning shortly after boot/login. You can run it manually using: sudo logrotate -f /etc/logrotate.conf -d That should trigger your warning. If it doesn't trigger, try without -d: sudo logrotate -f /etc/logrotate.conf and, as Daniel said, try: restorecon -R -v /var/cache then try logrotate again.
Description of problem: No action on my behalf triggered this bug, it's a default fedora chron execution. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport
Description of problem: I assume logrotate started as a scheduled task in the background. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: Upgrade to Fedora 21 from Fedora 20 and SELinux will complain that logrotate attempt sto access files in /var/cache/dnf. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: AVZ happened likely when updating. However, the policy appears broken. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: No tengo idea de como sucedio este problema, solamente estaba navegando en mozilla y aparecio el aviso del error. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport
Ran sudo restorecon -R -v /var/cache. Then, sudo logrotate -f /etc/logrotate.conf -d with or without -d did not produce the problem. Appears to be fixed now. Thank you all.
Description of problem: This problem occurred after an upgrade to Fedora 21 After the upgrade is not possible to update or uninstall applications Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686+PAE type: libreport
Description of problem: Login to gnome Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: I don't know. Am running a yumex update right now and it happens to be working on selinux policy targeted Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport
Please reopen the bug. It happened to me again with selinux-policy-3.13.1-103.fc21.noarch kernel-3.17.7-300.fc21.x86_64 logrotate-3.8.7-4.fc21.x86_64 ----------------------------------- SELinux is preventing logrotate from read access on the directory /var/cache/dnf. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /var/cache/dnf default label should be rpm_var_cache_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/cache/dnf ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow logrotate to have read access on the dnf directory Then you need to change the label on /var/cache/dnf Do # semanage fcontext -a -t FILE_TYPE '/var/cache/dnf' where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_unit_file_t, NetworkManager_var_run_t, abrt_unit_file_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, accountsd_unit_file_t, acct_data_t, admin_home_t, afs_logfile_t, aiccu_var_run_t, aide_log_t, ajaxterm_var_run_t, alsa_unit_file_t, alsa_var_run_t, amanda_log_t, amanda_unit_file_t, antivirus_log_t, antivirus_unit_file_t, antivirus_var_run_t, apcupsd_log_t, apcupsd_unit_file_t, apcupsd_var_run_t, apmd_log_t, apmd_unit_file_t, apmd_var_run_t, arpwatch_unit_file_t, arpwatch_var_run_t, asterisk_log_t, asterisk_var_run_t, audisp_var_run_t, auditd_unit_file_t, auditd_var_run_t, auth_cache_t, automount_unit_file_t, automount_var_run_t, avahi_unit_file_t, avahi_var_run_t, bacula_log_t, bacula_var_run_t, bcfg2_unit_file_t, bcfg2_var_run_t, bin_t, bitlbee_log_t, bitlbee_var_run_t, blktap_var_run_t, blueman_var_run_t, bluetooth_unit_file_t, bluetooth_var_run_t, boinc_log_t, boinc_unit_file_t, boot_t, bootloader_var_run_t, brltty_unit_file_t, brltty_var_run_t, bumblebee_unit_file_t, bumblebee_var_run_t, cachefilesd_var_run_t, calamaris_log_t, callweaver_log_t, callweaver_var_run_t, canna_log_t, canna_var_run_t, cardmgr_var_run_t, ccs_var_lib_t, ccs_var_log_t, ccs_var_run_t, cert_t, certmaster_var_log_t, certmaster_var_run_t, certmonger_var_run_t, cfengine_log_t, cgred_log_t, cgred_var_run_t, cgroup_t, checkpc_log_t, chronyd_unit_file_t, chronyd_var_log_t, chronyd_var_run_t, cinder_api_unit_file_t, cinder_backup_unit_file_t, cinder_log_t, cinder_scheduler_unit_file_t, cinder_var_run_t, cinder_volume_unit_file_t, clogd_var_run_t, cloud_init_unit_file_t, cloud_log_t, cluster_unit_file_t, cluster_var_log_t, cluster_var_run_t, clvmd_var_run_t, cmirrord_var_run_t, cobbler_var_log_t, cockpit_unit_file_t, collectd_unit_file_t, collectd_var_run_t, colord_unit_file_t, comsat_var_run_t, condor_log_t, condor_unit_file_t, condor_var_run_t, conman_log_t, conman_unit_file_t, conman_var_run_t, consolekit_log_t, consolekit_unit_file_t, consolekit_var_run_t, couchdb_log_t, couchdb_unit_file_t, couchdb_var_run_t, courier_var_run_t, cpuplug_var_run_t, cpuspeed_var_run_t, cron_log_t, cron_var_run_t, crond_unit_file_t, crond_var_run_t, ctdbd_log_t, ctdbd_var_run_t, cupsd_config_var_run_t, cupsd_log_t, cupsd_lpd_var_run_t, cupsd_unit_file_t, cupsd_var_run_t, cvs_var_run_t, cyphesis_log_t, cyphesis_var_run_t, cyrus_var_run_t, dbskkd_var_run_t, dbusd_etc_t, dcc_var_run_t, dccd_var_run_t, dccifd_var_run_t, dccm_var_run_t, dcerpcd_var_run_t, ddclient_log_t, ddclient_var_run_t, deltacloudd_log_t, deltacloudd_var_run_t, denyhosts_var_log_t, device_t, devicekit_var_log_t, devicekit_var_run_t, dhcpc_var_run_t, dhcpd_unit_file_t, dhcpd_var_run_t, dictd_var_run_t, dirsrv_snmp_var_log_t, dirsrv_snmp_var_run_t, dirsrv_var_log_t, dirsrv_var_run_t, dkim_milter_data_t, dlm_controld_var_log_t, dlm_controld_var_run_t, dnsmasq_unit_file_t, dnsmasq_var_log_t, dnsmasq_var_run_t, dnssec_trigger_var_run_t, docker_log_t, docker_unit_file_t, docker_var_run_t, dovecot_var_log_t, dovecot_var_run_t, dspam_log_t, dspam_var_run_t, entropyd_var_run_t, etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_log_t, evtchnd_var_run_t, exim_log_t, exim_var_run_t, fail2ban_log_t, fail2ban_var_run_t, faillog_t, fcoemon_var_run_t, fenced_var_log_t, fenced_var_run_t, fetchmail_log_t, fetchmail_var_run_t, file_context_t, fingerd_log_t, fingerd_var_run_t, firewalld_unit_file_t, firewalld_var_log_t, firewalld_var_run_t, foghorn_var_log_t, foghorn_var_run_t, fonts_cache_t, fonts_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_bmc_watchdog_var_run_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmidetectd_var_run_t, freeipmi_ipmiseld_unit_file_t, freeipmi_ipmiseld_var_run_t, fsadm_log_t, fsadm_var_run_t, fsdaemon_var_run_t, ftpd_unit_file_t, ftpd_var_run_t, games_srv_var_run_t, gdomap_var_run_t, gear_log_t, gear_unit_file_t, gear_var_run_t, getty_log_t, getty_unit_file_t, getty_var_run_t, gfs_controld_var_log_t, gfs_controld_var_run_t, glance_api_unit_file_t, glance_log_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t, glance_var_run_t, glusterd_log_t, glusterd_var_run_t, gpm_var_run_t, gpsd_var_run_t, greylist_milter_data_t, groupd_var_log_t, groupd_var_run_t, gssproxy_unit_file_t, gssproxy_var_run_t, haproxy_unit_file_t, haproxy_var_log_t, haproxy_var_run_t, httpd_config_t, httpd_log_t, httpd_sys_rw_content_t, httpd_unit_file_t, httpd_var_run_t, hwdata_t, hypervkvp_unit_file_t, hypervvssd_unit_file_t, icecast_log_t, icecast_var_run_t, ifconfig_var_run_t, inetd_child_var_run_t, inetd_log_t, inetd_var_run_t, init_var_run_t, initrc_var_log_t, initrc_var_run_t, innd_log_t, innd_var_run_t, insmod_var_run_t, iodined_unit_file_t, ipa_otpd_unit_file_t, ipsec_log_t, ipsec_mgmt_unit_file_t, ipsec_mgmt_var_run_t, ipsec_var_run_t, iptables_unit_file_t, iptables_var_run_t, irqbalance_var_run_t, iscsi_log_t, iscsi_unit_file_t, iscsi_var_run_t, isnsd_var_run_t, iwhd_log_t, iwhd_var_run_t, jetty_log_t, jetty_var_run_t, jockey_var_log_t, kadmind_log_t, kadmind_var_run_t, kdump_unit_file_t, keepalived_unit_file_t, keepalived_var_run_t, keystone_log_t, keystone_unit_file_t, keystone_var_run_t, kismet_log_t, kismet_var_run_t, klogd_var_run_t, kmscon_unit_file_t, krb5kdc_log_t, krb5kdc_var_run_t, ksmtuned_log_t, ksmtuned_unit_file_t, ksmtuned_var_run_t, ktalkd_log_t, ktalkd_unit_file_t, l2tpd_var_run_t, lastlog_t, lib_t, lircd_var_run_t, lldpad_var_run_t, locale_t, locate_var_run_t, logrotate_tmp_t, logrotate_var_lib_t, logwatch_var_run_t, lpd_var_run_t, lsassd_var_run_t, lsmd_unit_file_t, lsmd_var_run_t, lvm_unit_file_t, lvm_var_run_t, lwiod_var_run_t, lwregd_var_run_t, lwsmd_var_run_t, mailman_log_t, mailman_var_run_t, man_cache_t, man_t, mcelog_log_t, mcelog_var_run_t, mdadm_unit_file_t, mdadm_var_run_t, memcached_var_run_t, minidlna_log_t, minidlna_var_run_t, minissdpd_var_run_t, mip6d_unit_file_t, mirrormanager_log_t, mirrormanager_var_run_t, mock_var_run_t, modemmanager_unit_file_t, mon_statd_var_run_t, mongod_log_t, mongod_var_run_t, motion_log_t, motion_unit_file_t, motion_var_run_t, mount_var_run_t, mpd_log_t, mpd_var_run_t, mrtg_log_t, mrtg_var_run_t, mscan_var_run_t, munin_etc_t, munin_log_t, munin_var_run_t, mysqld_etc_t, mysqld_log_t, mysqld_unit_file_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, mythtv_var_log_t, naemon_log_t, naemon_var_run_t, nagios_log_t, nagios_var_run_t, named_cache_t, named_log_t, named_unit_file_t, named_var_run_t, net_conf_t, netlabel_mgmt_unit_file_t, netlogond_var_run_t, neutron_log_t, neutron_unit_file_t, neutron_var_run_t, nfsd_unit_file_t, ninfod_run_t, ninfod_unit_file_t, nis_unit_file_t, nmbd_var_run_t, nova_ajax_unit_file_t, nova_api_unit_file_t, nova_cert_unit_file_t, nova_compute_unit_file_t, nova_conductor_unit_file_t, nova_console_unit_file_t, nova_direct_unit_file_t, nova_log_t, nova_network_unit_file_t, nova_objectstore_unit_file_t, nova_scheduler_unit_file_t, nova_var_run_t, nova_vncproxy_unit_file_t, nova_volume_unit_file_t, nrpe_var_run_t, nscd_log_t, nscd_unit_file_t, nscd_var_run_t, nsd_var_run_t, nslcd_var_run_t, ntop_var_run_t, ntpd_log_t, ntpd_unit_file_t, ntpd_var_run_t, numad_unit_file_t, numad_var_log_t, numad_var_run_t, nut_unit_file_t, nut_var_run_t, nx_server_var_run_t, oddjob_unit_file_t, oddjob_var_run_t, openct_var_run_t, openhpid_var_run_t, openshift_log_t, openshift_var_lib_t, openshift_var_run_t, opensm_log_t, opensm_unit_file_t, openvpn_status_t, openvpn_var_log_t, openvpn_var_run_t, openvswitch_log_t, openvswitch_unit_file_t, openvswitch_var_run_t, openwsman_log_t, openwsman_run_t, openwsman_unit_file_t, osad_log_t, osad_var_run_t, pads_var_run_t, pam_var_console_t, pam_var_run_t, passenger_log_t, passenger_var_run_t, pcp_log_t, pcp_var_run_t, pcscd_var_run_t, pegasus_openlmi_storage_var_run_t, pegasus_var_run_t, pesign_unit_file_t, pesign_var_run_t, phc2sys_unit_file_t, piranha_fos_var_run_t, piranha_log_t, piranha_lvs_var_run_t, piranha_pulse_var_run_t, piranha_web_var_run_t, pkcs_slotd_var_run_t, pki_ra_log_t, pki_ra_var_run_t, pki_tomcat_log_t, pki_tomcat_unit_file_t, pki_tomcat_var_run_t, pki_tps_log_t, pki_tps_var_run_t, plymouthd_var_log_t, plymouthd_var_run_t, policykit_var_run_t, polipo_log_t, polipo_pid_t, polipo_unit_file_t, portmap_var_run_t, portreserve_var_run_t, postfix_postdrop_t, postfix_var_run_t, postgresql_log_t, postgresql_var_run_t, postgrey_var_run_t, power_unit_file_t, pppd_log_t, pppd_unit_file_t, pppd_var_run_t, pptp_log_t, pptp_var_run_t, prelink_log_t, prelude_audisp_var_run_t, prelude_lml_var_run_t, prelude_log_t, prelude_var_run_t, privoxy_log_t, privoxy_var_run_t, proc_t, procmail_log_t, prosody_unit_file_t, prosody_var_run_t, psad_var_log_t, psad_var_run_t, ptal_var_run_t, ptp4l_unit_file_t, pulseaudio_var_run_t, puppet_log_t, puppet_var_run_t, pwauth_var_run_t, pyicqt_log_t, pyicqt_var_run_t, qdiskd_var_log_t, qdiskd_var_run_t, qemu_var_run_t, qpidd_var_run_t, quota_nld_var_run_t, rabbitmq_unit_file_t, rabbitmq_var_log_t, rabbitmq_var_run_t, radiusd_log_t, radiusd_unit_file_t, radiusd_var_run_t, radvd_var_run_t, rasdaemon_unit_file_t, rdisc_unit_file_t, readahead_var_run_t, redis_log_t, redis_unit_file_t, redis_var_run_t, regex_milter_data_t, restorecond_var_run_t, rhev_agentd_log_t, rhev_agentd_unit_file_t, rhev_agentd_var_run_t, rhnsd_unit_file_t, rhnsd_var_run_t, rhsmcertd_log_t, rhsmcertd_var_run_t, ricci_modcluster_var_log_t, ricci_modcluster_var_run_t, ricci_var_log_t, ricci_var_run_t, rlogind_var_run_t, rngd_unit_file_t, rngd_var_run_t, rolekit_unit_file_t, root_t, roundup_var_run_t, rpcbind_var_run_t, rpcd_unit_file_t, rpcd_var_run_t, rpm_log_t, rpm_var_cache_t, rpm_var_run_t, rsync_log_t, rsync_var_run_t, rtas_errd_log_t, rtas_errd_unit_file_t, rtas_errd_var_run_t, samba_etc_t, samba_log_t, samba_unit_file_t, sanlock_log_t, sanlock_unit_file_t, sanlock_var_run_t, saslauthd_var_run_t, sblim_var_run_t, screen_var_run_t, sectool_var_log_t, security_t, sendmail_log_t, sendmail_var_run_t, sensord_log_t, sensord_unit_file_t, sensord_var_run_t, setrans_var_run_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t, shell_exec_t, shorewall_log_t, slapd_log_t, slapd_unit_file_t, slapd_var_run_t, slpd_log_t, slpd_var_run_t, smbd_var_run_t, smokeping_var_run_t, smsd_log_t, smsd_var_run_t, snapperd_log_t, snmpd_log_t, snmpd_var_run_t, snort_log_t, snort_var_run_t, sosreport_var_run_t, soundd_var_run_t, spamass_milter_data_t, spamd_log_t, spamd_var_run_t, speech-dispatcher_log_t, speech-dispatcher_unit_file_t, squid_log_t, squid_var_run_t, src_t, srvsvcd_var_run_t, sshd_keygen_unit_file_t, sshd_unit_file_t, sshd_var_run_t, sssd_public_t, sssd_unit_file_t, sssd_var_log_t, sssd_var_run_t, stapserver_log_t, stapserver_var_run_t, stunnel_var_run_t, svnserve_unit_file_t, svnserve_var_run_t, swat_var_run_t, swift_unit_file_t, swift_var_run_t, sysfs_t, syslogd_var_run_t, sysstat_log_t, system_conf_t, system_cronjob_var_run_t, system_db_t, system_dbusd_var_run_t, systemd_logind_inhibit_var_run_t, systemd_logind_sessions_t, systemd_logind_var_run_t, systemd_networkd_unit_file_t, systemd_networkd_var_run_t, systemd_passwd_var_run_t, systemd_runtime_unit_file_t, systemd_unit_file_t, systemd_vconsole_unit_file_t, telnetd_var_run_t, textrel_shlib_t, tftpd_var_run_t, tgtd_var_run_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_var_run_t, thin_log_t, thin_var_run_t, timemaster_unit_file_t, timemaster_var_run_t, tmp_t, tomcat_log_t, tomcat_unit_file_t, tomcat_var_run_t, tor_unit_file_t, tor_var_log_t, tor_var_run_t, tuned_log_t, tuned_var_run_t, udev_var_run_t, ulogd_var_log_t, uml_switch_var_run_t, usbmuxd_unit_file_t, usbmuxd_var_run_t, user_home_dir_t, useradd_var_run_t, usr_t, uucpd_log_t, uucpd_var_run_t, uuidd_var_run_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_spool_t, varnishd_var_run_t, varnishlog_log_t, varnishlog_var_run_t, vdagent_log_t, vdagent_var_run_t, vhostmd_var_run_t, virt_cache_t, virt_log_t, virt_lxc_var_run_t, virt_qemu_ga_log_t, virt_qemu_ga_var_run_t, virt_var_run_t, virtd_unit_file_t, vmtools_unit_file_t, vmware_host_pid_t, vmware_log_t, vmware_pid_t, vnstatd_var_run_t, vpnc_var_run_t, watchdog_log_t, watchdog_var_run_t, wdmd_var_run_t, winbind_log_t, winbind_var_run_t, wtmp_t, xdm_log_t, xdm_var_run_t, xenconsoled_var_run_t, xend_var_log_t, xend_var_run_t, xenstored_var_log_t, xenstored_var_run_t, xferlog_t, xserver_log_t, xserver_var_run_t, ypbind_unit_file_t, ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t, ypxfr_var_run_t, zabbix_log_t, zabbix_var_run_t, zarafa_deliver_log_t, zarafa_deliver_var_run_t, zarafa_gateway_log_t, zarafa_gateway_var_run_t, zarafa_ical_log_t, zarafa_ical_var_run_t, zarafa_indexer_log_t, zarafa_indexer_var_run_t, zarafa_monitor_log_t, zarafa_monitor_var_run_t, zarafa_server_log_t, zarafa_server_var_run_t, zarafa_spooler_log_t, zarafa_spooler_var_run_t, zebra_log_t, zebra_unit_file_t, zebra_var_run_t, zoneminder_log_t, zoneminder_unit_file_t, zoneminder_var_run_t. Then execute: restorecon -v '/var/cache/dnf' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that logrotate should be allowed read access on the dnf directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep logrotate /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:var_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path logrotate Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-103.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.17.7-300.fc21.x86_64 #1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64 Alert Count 5 First Seen 2014-12-19 20:06:01 CET Last Seen 2014-12-23 11:09:02 CET Local ID 17c3f239-ca34-43a5-bf7b-007759398fbf Raw Audit Messages type=AVC msg=audit(1419329342.120:781): avc: denied { read } for pid=8142 comm="logrotate" name="dnf" dev="sda6" ino=1181107 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0 Hash: logrotate,logrotate_t,var_t,dir,read
The fix has not made it into a Fedora 21 package yet. Lucas can you get d4d825f5a15b46014f482ce7fede179b10af92e1 b955f9ec993f38d61dc42048d61ad425f7ea230a and 50113238bb5a4fb13fd9f7559b348203dc7327ea back ported into f21.
Lucas also add a restorecon -R -v /var/cache/dnf to the post install script.
Description of problem: I ran `touch /.autorelable` then rebooted several hours before this error happened. The machine was left unattended for some time after the reboot, but auto-login is enabled. Error was displayed on the lock screen when I returned to the machine. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
SELinux is no longer preventing logrotate from read access on the directory /var/cache/dnf after I enabled repo updates-testing and updated selinux-policy-3.13.1-103.fc21. Now when I manually start logrotate, the output is as following; rotating pattern: /var/cache/dnf/*/*/hawkey.log forced from command line (4 rotations) empty log files are not rotated, old logs are removed considering log /var/cache/dnf/x86_64/21/hawkey.log log needs rotating rotating log /var/cache/dnf/x86_64/21/hawkey.log, log->rotateCount is 4 dateext suffix '-20141229' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' glob finding old rotated logs failed fscreate context set to system_u:object_r:rpm_var_cache_t:s0 renaming /var/cache/dnf/x86_64/21/hawkey.log to /var/cache/dnf/x86_64/21/hawkey.log-20141229 creating new /var/cache/dnf/x86_64/21/hawkey.log mode = 0600 uid = 0 gid = 0 I haven't seen any other issues with this testing SELinux update package yet.
Description of problem: Al parecer al intentar abrir un archivo .log Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Today I got warnings from the logrotate execution: error: error opening /var/cache/dnf/x86_64/21/hawkey.log: Permission denied The configuration says "yearly", so I guess that is why I haven't got the message until today. However, I don't see any AVCs logged at the time. And DAC allows everyone to read the file. Could there be something dontaudited that confuses things? This is with selinux-policy-targeted-3.13.1-103.fc21 plus a local module that does allow logrotate_t rpm_var_cache_t:dir read; I'll experiment a bit and see if I can figure out what I need to add to my local policy, but the absence of reported AVCs makes it a bit more complicated.
Why is hawkey.log under /var/cach/dnf? Shouldn't this be in /var/log?
That was my initial reaction too, but Jan Silhan explained why it is the way it is in bug 1149350, comment 1.
dnf log files should be in /var/log/dnf/
Should I report the logs in the wrong place as a separate bug? If they need to be separate they can be in /var/log/dnf/{subdir} and the subdir can be based on time, PID, whatever is needful, I see the reason they are separated, but still counld be in the right place. And if /var/log/dnf must be a file, then /var/log/dnf-whatever directory could be used. People do things to preserve /var/log and shouldn't have to take special care with /var/lib just because someone wanted to put a log there.
(In reply to Bill Davidsen from comment #97) > Should I report the logs in the wrong place as a separate bug? No need yet, I'm reassigning this bug to my team for further evaluation.
In case anyone more than me wants log rotation right now, I believe these SELinux rules are enough. Probably they allow too much. But it's just an interim solution anyway, until we have a permanent solution. rw_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t) rename_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t) create_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t) setattr_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t)
I changed hawkey C API to accept custom path to log file so dnf will set it as `/var/log/hawkey.log`. PR here: https://github.com/rpm-software-management/hawkey/pull/77
*** Bug 1175434 has been marked as a duplicate of this bug. ***
Description of problem: From a basic Workstation install with updates, it looks like this happened the next time logrotate ran after those updates. It looks like dnf keeps a hawkey.log file in /var/cache/dnf and logrotate is trying to rotate it. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Sorry for delay. I added fixes to F21.
*** Bug 1178003 has been marked as a duplicate of this bug. ***
Could someone close this bug? I cannot see this bug anymore.