Bug 1473255 - Logrotate cannot access candlepin logs [NEEDINFO]
Logrotate cannot access candlepin logs
Status: VERIFIED
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Candlepin (Show other bugs)
6.3.0
Unspecified Unspecified
urgent Severity high (vote)
: 6.2.15
: --
Assigned To: Alex Wood
Lukas Pramuk
: Triaged
Depends On: 1473346
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-20 06:37 EDT by Lukas Pramuk
Modified: 2017-12-20 16:02 EST (History)
11 users (show)

See Also:
Fixed In Version: candlepin-2.0.39-1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1473346 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
lpramuk: needinfo? (mmccune)


Attachments (Terms of Use)

  None (edit)
Description Lukas Pramuk 2017-07-20 06:37:34 EDT
Description of problem:
Logrotate cannot access candlepin logs due to SELinux denails

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Have a Satellite running on rhel7.4
2. # audit2allow -a


#============= logrotate_t ==============
allow logrotate_t candlepin_var_log_t:file getattr;


# grep avc: /var/log/audit/audit.log
type=AVC msg=audit(1500281521.410:1851): avc:  denied  { getattr } for  pid=25345 comm="logrotate" path="/var/log/candlepin/audit.log" dev="dm-0" ino=671118656 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file
type=AVC msg=audit(1500281521.410:1852): avc:  denied  { getattr } for  pid=25345 comm="logrotate" path="/var/log/candlepin/candlepin.log" dev="dm-0" ino=671118654 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file
type=AVC msg=audit(1500281521.410:1853): avc:  denied  { getattr } for  pid=25345 comm="logrotate" path="/var/log/candlepin/error.log" dev="dm-0" ino=671118655 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file
type=AVC msg=audit(1500281521.413:1854): avc:  denied  { getattr } for  pid=25345 comm="logrotate" path="/var/log/candlepin/audit.log" dev="dm-0" ino=671118656 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file
type=AVC msg=audit(1500281521.413:1855): avc:  denied  { getattr } for  pid=25345 comm="logrotate" path="/var/log/candlepin/candlepin.log" dev="dm-0" ino=671118654 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file
type=AVC msg=audit(1500281521.413:1856): avc:  denied  { getattr } for  pid=25345 comm="logrotate" path="/var/log/candlepin/error.log" dev="dm-0" ino=671118655 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:candlepin_var_log_t:s0 tclass=file

Actual results:
logrotate cannot access candlepin logs due to selinux denails

Expected results:
no selinux denails
Comment 2 Barnaby Court 2017-07-20 09:34:06 EDT
Lukas, What version of candlepin and candlepin-selinux were you running when you saw this problem?
Comment 3 Lukas Pramuk 2017-07-21 05:39:07 EDT
Version-Release number of selected component (if applicable):
@satellite-6.3.0-16.0.beta.el7sat.noarch
candlepin-2.0.37-1.el7.noarch
candlepin-selinux-2.0.37-1.el7.noarch

on RHEL-7.4-20170630.1
Comment 4 Alex Wood 2017-07-24 15:45:18 EDT
Lukas,

Can you post the output for `sestatus`?  I'm having trouble reproducing this.  I'm running under the "targeted" policy and I want to make sure what I'm doing squares with what you are doing.
Comment 5 Peter Ondrejka 2017-07-25 03:59:20 EDT
Hi Alex,

It occurs after fresh satellite install on rhel 7.4

~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Hope this helps
Comment 6 Alex Wood 2017-07-25 11:33:07 EDT
commit ccf99e3502b56e782caf38cbc9ee043a0ec16248
Author: Alex Wood <awood@redhat.com>
Date:   Mon Jul 24 16:23:53 2017 -0400

    1473255: Fix SELinux error when logrotate runs on candlepin logs
Comment 7 Peter Ondrejka 2017-07-28 04:35:37 EDT
Please note that this also needs to be pulled to Satellite 6.2 where it also occurs, just FYI
Comment 8 Michael Stead 2017-07-28 08:55:34 EDT
Peter, yes, there are separate bugs created to get this into candlepin-0.9.54.x. We will be sure to get the fix into all appropriate candlepin versions.

Thanks for the note, and the reminder! :)
Comment 9 Brad Buckingham 2017-08-08 16:08:19 EDT
Moving to ON_QA since latest Satellite 6.3 snap includes candlepin-2.0.40-1.el7.noarch.
Comment 10 Lukas Pramuk 2017-08-11 04:29:26 EDT
VERIFIED.

@satellite-6.3.0-16.0.beta.el7sat.noarch
candlepin-selinux-2.0.40-1.el7.noarch


# audit2allow -a
<empty>

>>> no selinux denials

Note You need to log in before you can comment on or make changes to this bug.