Bug 1298523 - Missing SELinux context transition from logrotate to RabbitMQ
Summary: Missing SELinux context transition from logrotate to RabbitMQ
Keywords:
Status: CLOSED DUPLICATE of bug 1283134
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-14 10:35 UTC by Robert Scheck
Modified: 2019-12-16 05:17 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-18 09:53:41 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Robert Scheck 2016-01-14 10:35:33 UTC 
Description of problem:
After installing the rabbitmq-server, the logrotate fails on RHEL 7 daily
with an e-mail like this:

--- snipp ---
Date: Wed, 13 Jan 2016 03:38:10 +0100 (CET)
From: Anacron <root.net>
To: root.net
Subject: Anacron job 'cron.daily' on tux.example.net
Message-Id: <20160113023810.77068405B3.net>

/etc/cron.daily/logrotate:

su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
/usr/sbin/rabbitmqctl: line 44:  9328 Aborted                 su rabbitmq -s /bin/sh -c "/usr/lib/rabbitmq/bin/${SCRIPT} ${CMDLINE}"
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
--- snapp ---

type=AVC msg=audit(1452737286.080:2916): avc:  denied  { create } for  pid=21548 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket
type=SYSCALL msg=audit(1452737286.080:2916): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=7 a3=1 items=0 ppid=21536 pid=21548 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=74 comm="su" exe="/usr/bin/su" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1452737286.080:2917): pid=21548 uid=0 auid=0 ses=74 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc:  can't open netlink socket: 13 (Permission denied)  exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
type=ANOM_ABEND msg=audit(1452737286.081:2918): auid=0 uid=0 gid=0 ses=74 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 pid=21548 comm="su" reason="memory violation" sig=6

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-60.el7.noarch
rabbitmq-server-3.3.5-15.el7.noarch

How reproducible:
Everytime during logrotate, see above and below

Actual results:
Missing SELinux context transition from logrotate to RabbitMQ.

Expected results:
SELinux context transition from logrotate to RabbitMQ or some exception.

Additional info:
Above AVC denied messages where gathered while SELinux was enforced, it
seems like the rabbitmq-server is still working without impact (as far as
we can tell currently). Nevertheless the SELinux policy should address
this one or the other way for the future.
Comment 2 Robert Scheck 2016-01-14 10:37:22 UTC 
Cross-filed case 01566784 on the Red Hat customer portal.
Comment 3 Simon Sekidde 2016-01-14 16:25:43 UTC 
Robert, 

Are you able to provide the raw audit messages when in permissive mode? 

 logrotate -d -f /etc/logrotate.conf
Comment 4 Robert Scheck 2016-01-14 17:11:55 UTC 
Unfortunately '-d' avoids that anything is being done. I just tried '-f'
now, but this didn't bring any audit denied. Will check with my colleague
tomorrow how to reproduce in a non-production environment best :)
Comment 5 Milos Malik 2016-01-14 17:57:51 UTC 
I believe that's the same problem as described in BZ#1283134. Any logrotate script which runs su directly or indirectly will trigger such AVC.
Comment 6 Miroslav Grepl 2016-01-18 09:53:41 UTC 

*** This bug has been marked as a duplicate of bug 1283134 ***
Note You need to log in before you can comment on or make changes to this bug.