Bug 1298523 - Missing SELinux context transition from logrotate to RabbitMQ
Missing SELinux context transition from logrotate to RabbitMQ
Status: CLOSED DUPLICATE of bug 1283134
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-14 05:35 EST by Robert Scheck
Modified: 2016-08-08 10:57 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-18 04:53:41 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2016-01-14 05:35:33 EST
Description of problem:
After installing the rabbitmq-server, the logrotate fails on RHEL 7 daily
with an e-mail like this:

--- snipp ---
Date: Wed, 13 Jan 2016 03:38:10 +0100 (CET)
From: Anacron <root@tux.example.net>
To: root@tux.example.net
Subject: Anacron job 'cron.daily' on tux.example.net
Message-Id: <20160113023810.77068405B3@tux.example.net>

/etc/cron.daily/logrotate:

su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
/usr/sbin/rabbitmqctl: line 44:  9328 Aborted                 su rabbitmq -s /bin/sh -c "/usr/lib/rabbitmq/bin/${SCRIPT} ${CMDLINE}"
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '
--- snapp ---

type=AVC msg=audit(1452737286.080:2916): avc:  denied  { create } for  pid=21548 comm="su" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket
type=SYSCALL msg=audit(1452737286.080:2916): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=7 a3=1 items=0 ppid=21536 pid=21548 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=74 comm="su" exe="/usr/bin/su" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1452737286.080:2917): pid=21548 uid=0 auid=0 ses=74 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc:  can't open netlink socket: 13 (Permission denied)  exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
type=ANOM_ABEND msg=audit(1452737286.081:2918): auid=0 uid=0 gid=0 ses=74 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 pid=21548 comm="su" reason="memory violation" sig=6

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-60.el7.noarch
rabbitmq-server-3.3.5-15.el7.noarch

How reproducible:
Everytime during logrotate, see above and below

Actual results:
Missing SELinux context transition from logrotate to RabbitMQ.

Expected results:
SELinux context transition from logrotate to RabbitMQ or some exception.

Additional info:
Above AVC denied messages where gathered while SELinux was enforced, it
seems like the rabbitmq-server is still working without impact (as far as
we can tell currently). Nevertheless the SELinux policy should address
this one or the other way for the future.
Comment 2 Robert Scheck 2016-01-14 05:37:22 EST
Cross-filed case 01566784 on the Red Hat customer portal.
Comment 3 Simon Sekidde 2016-01-14 11:25:43 EST
Robert, 

Are you able to provide the raw audit messages when in permissive mode? 

 logrotate -d -f /etc/logrotate.conf
Comment 4 Robert Scheck 2016-01-14 12:11:55 EST
Unfortunately '-d' avoids that anything is being done. I just tried '-f'
now, but this didn't bring any audit denied. Will check with my colleague
tomorrow how to reproduce in a non-production environment best :)
Comment 5 Milos Malik 2016-01-14 12:57:51 EST
I believe that's the same problem as described in BZ#1283134. Any logrotate script which runs su directly or indirectly will trigger such AVC.
Comment 6 Miroslav Grepl 2016-01-18 04:53:41 EST

*** This bug has been marked as a duplicate of bug 1283134 ***

Note You need to log in before you can comment on or make changes to this bug.