Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1379998

Summary: SELinux is preventing /usr/bin/perl from search access on the directory logcheck.
Product: Red Hat Enterprise Linux 7 Reporter: Brian J. Murrell <brian>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.2CC: brian, herrold, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-12 12:17:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian J. Murrell 2016-09-28 12:14:07 UTC 
SELinux is preventing /usr/bin/perl from search access on the directory logcheck.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that perl should be allowed search access on the logcheck directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep 7370616D64206368696C64 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:spamd_t:s0
Target Context                system_u:object_r:logwatch_cache_t:s0
Target Objects                logcheck [ dir ]
Source                        7370616D64206368696C64
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           perl-5.16.3-286.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18
                              19:05:49 UTC 2016 x86_64 x86_64
Alert Count                   32
First Seen                    2016-09-27 12:16:58 EDT
Last Seen                     2016-09-28 04:09:19 EDT
Local ID                      429f02c1-0582-4e1b-bb49-bb7994c594e0

Raw Audit Messages
type=AVC msg=audit(1475050159.42:7562): avc:  denied  { search } for  pid=5842 comm=7370616D64206368696C64 name="logcheck" dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir


type=SYSCALL msg=audit(1475050159.42:7562): arch=x86_64 syscall=stat success=no exit=EACCES a0=364da80 a1=1aac138 a2=1aac138 a3=1 items=0 ppid=8770 pid=5842 auid=4294967295 uid=0 gid=0 euid=993 suid=0 fsuid=993 egid=991 sgid=0 fsgid=991 tty=(none) ses=4294967295 comm=7370616D64206368696C64 exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null)

Hash: 7370616D64206368696C64,spamd_t,logwatch_cache_t,dir,search
Comment 2 Milos Malik 2016-09-29 07:30:10 UTC 
Could you collect the SELinux denials and attach them here?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

The "-i" parameter is important because ausearch can translate "comm=7370616D64206368696C64" to something human readable.
Comment 3 Brian J. Murrell 2016-09-29 12:19:07 UTC 
I have removed the "-ts today" from the ausearch line so that I could find the one that is in the message in Comment #1.  I did that because I have installed a (temporary) local policy since filing this bug so that denials don't cause the program to fail.

----
type=SYSCALL msg=audit(28/09/16 04:09:19.042:7562) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x364da80 a1=0x1aac138 a2=0x1aac138 a3=0x1 items=0 ppid=8770 pid=5842 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(28/09/16 04:09:19.042:7562) : avc:  denied  { search } for  pid=5842 comm=spamd child name=logcheck dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir 
----
Comment 4 Brian J. Murrell 2016-09-29 12:36:08 UTC 
Of course, once I make a local exception for one AVC another pops up:

SELinux is preventing /usr/bin/perl from getattr access on the directory /var/lib/logcheck.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that perl should be allowed getattr access on the logcheck directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep 7370616D64206368696C64 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:spamd_t:s0
Target Context                system_u:object_r:logwatch_cache_t:s0
Target Objects                /var/lib/logcheck [ dir ]
Source                        7370616D64206368696C64
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          server.interlinx.bc.ca
Source RPM Packages           perl-5.16.3-286.el7.x86_64
Target RPM Packages           logcheck-1.3.15-2.el7.noarch
Policy RPM                    selinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.interlinx.bc.ca
Platform                      Linux server.interlinx.bc.ca
                              3.10.0-327.28.3.el7.x86_64 #1 SMP Thu Aug 18
                              19:05:49 UTC 2016 x86_64 x86_64
Alert Count                   34
First Seen                    2016-09-28 12:10:12 EDT
Last Seen                     2016-09-29 08:09:21 EDT
Local ID                      1a399aeb-26a9-4270-b8b3-fee2802c0571

Raw Audit Messages
type=AVC msg=audit(1475150961.45:12651): avc:  denied  { getattr } for  pid=4087 comm=7370616D64206368696C64 path="/var/lib/logcheck" dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir


type=SYSCALL msg=audit(1475150961.45:12651): arch=x86_64 syscall=stat success=no exit=EACCES a0=3668810 a1=16b1138 a2=16b1138 a3=0 items=0 ppid=4083 pid=4087 auid=4294967295 uid=0 gid=0 euid=993 suid=0 fsuid=993 egid=991 sgid=0 fsgid=991 tty=(none) ses=4294967295 comm=7370616D64206368696C64 exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null)

Hash: 7370616D64206368696C64,spamd_t,logwatch_cache_t,dir,getattr

From ausearch:

type=SYSCALL msg=audit(29/09/16 08:09:21.045:12651) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x3668810 a1=0x16b1138 a2=0x16b1138 a3=0x0 items=0 ppid=4083 pid=4087 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(29/09/16 08:09:21.045:12651) : avc:  denied  { getattr } for  pid=4087 comm=spamd child path=/var/lib/logcheck dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir 

This one also looks related:

type=SYSCALL msg=audit(29/09/16 08:09:20.347:12648) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x5969d60 a1=0755 a2=0x7f1f80387edc a3=0x0 items=0 ppid=4083 pid=4087 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(29/09/16 08:09:20.347:12648) : avc:  denied  { write } for  pid=4087 comm=spamd child name=logcheck dev="dm-7" ino=186 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir
Comment 6 Brian J. Murrell 2016-09-30 11:45:07 UTC 
Some more alerts:

----
type=SYSCALL msg=audit(30/09/16 04:09:12.303:16319) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x6b479a0 a1=0700 a2=0x7f36e75e7edc a3=0x0 items=0 ppid=8742 pid=8746 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(30/09/16 04:09:12.303:16319) : avc:  denied  { add_name } for  pid=8746 comm=spamd child name=.spamassassin scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(30/09/16 04:09:11.694:16318) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x65e5fc0 a1=0755 a2=0x7f36e75e7edc a3=0x0 items=0 ppid=8742 pid=8746 auid=unset uid=root gid=root euid=logcheck suid=root fsuid=logcheck egid=logcheck sgid=root fsgid=logcheck tty=(none) ses=unset comm=spamd child exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(30/09/16 04:09:11.694:16318) : avc:  denied  { add_name } for  pid=8746 comm=spamd child name=.razor scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:logwatch_cache_t:s0 tclass=dir
Comment 8 Lukas Vrabec 2017-10-12 12:17:17 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 9 Lukas Vrabec 2017-10-12 12:20:31 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.