Bug 1480741 – selinux policy lacks svnserve_log_t, which breaks svnserve logging

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1480741 - selinux policy lacks svnserve_log_t, which breaks svnserve logging

Summary:	selinux policy lacks svnserve_log_t, which breaks svnserve logging

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-08-11 15:19 EDT by James Ralston
Modified:	2018-04-10 08:40 EDT (History)
CC List:	7 users (show)

See Also:
Fixed In Version:	selinux-policy-3.13.1-175.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-04-10 08:38:21 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3169071	None	None	None	2017-08-31 13:08 EDT
Red Hat Product Errata	RHBA-2018:0763	None	None	None	2018-04-10 08:40 EDT

Groups: None (edit)

Description James Ralston 2017-08-11 15:19:22 EDT

Description of problem:

SELinux blocks attempts to have svnserve log to /var/log/svnserve/svnserve.log, because there is no svnserve_log_t type (or rules to apply that label to the filesystem), and the targeted policy does not permit svnserve to write to files with the generic var_log_t type.

For now, I have worked around this issue with:

$ semanage fcontext -a -t svnserve_var_run_t '/var/log/svnserve(/.*)?'
$ restorecon -FRv /var/log

But this is a kluge, and only works because svnserve_t is permitted to write to svnserve_var_run_t. There should be a separate svnserve_log_t file context for '/var/log/svnserve(/.*)?', and svnserve_t should be able to write to it.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.13.1-102.el7_3.4.noarch

How reproducible:

Add "--log-file /var/log/svnserve/svnserve.log" to OPTIONS in /etc/sysconfig/svnserve and restart svnserve.

Actual results:

svnserve will fail to start, emitting the following error:

svnserve: svn: E000013: Can't open file '/var/log/svnserve/svnserve.log': Permission denied

Expected results:

svnserve should start, opening the log file.

Comment 2 Milos Malik 2017-08-14 05:26:23 EDT

You're right, James.

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-166.el7.noarch
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-mls-3.13.1-166.el7.noarch
selinux-policy-devel-3.13.1-166.el7.noarch
# matchpathcon /var/log/svnserve
/var/log/svnserve	system_u:object_r:var_log_t:s0
# sesearch -s svnserve_t -t var_log_t -T

#

Comment 3 Milos Malik 2017-08-14 12:34:45 EDT

Following SELinux denial appears in enforcing mode when the /var/log/svnserve directory exists:
----
type=PROCTITLE msg=audit(08/14/2017 18:24:57.205:251) : proctitle=/usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid -r /var/svn --log-file /var/log/svnserve/svnserve.log 
type=PATH msg=audit(08/14/2017 18:24:57.205:251) : item=0 name=/var/log/svnserve/ inode=625659 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=PARENT 
type=CWD msg=audit(08/14/2017 18:24:57.205:251) : cwd=/ 
type=SYSCALL msg=audit(08/14/2017 18:24:57.205:251) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x55aa1fb37698 a1=O_WRONLY|O_CREAT|O_APPEND|O_CLOEXEC a2=0666 a3=0x7ffd56f870d0 items=1 ppid=1 pid=12287 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=svnserve exe=/usr/bin/svnserve subj=system_u:system_r:svnserve_t:s0 key=(null) 
type=AVC msg=audit(08/14/2017 18:24:57.205:251) : avc:  denied  { write } for  pid=12287 comm=svnserve name=svnserve dev="vda2" ino=625659 scontext=system_u:system_r:svnserve_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir permissive=0 
----

Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(08/14/2017 18:31:52.759:301) : proctitle=/usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid -r /var/svn --log-file /var/log/svnserve/svnserve.log 
type=PATH msg=audit(08/14/2017 18:31:52.759:301) : item=1 name=/var/log/svnserve/svnserve.log inode=630343 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=CREATE 
type=PATH msg=audit(08/14/2017 18:31:52.759:301) : item=0 name=/var/log/svnserve/ inode=625659 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=PARENT 
type=CWD msg=audit(08/14/2017 18:31:52.759:301) : cwd=/ 
type=SYSCALL msg=audit(08/14/2017 18:31:52.759:301) : arch=x86_64 syscall=open success=yes exit=3 a0=0x55c395898698 a1=O_WRONLY|O_CREAT|O_APPEND|O_CLOEXEC a2=0666 a3=0x7ffe3965e890 items=2 ppid=1 pid=18182 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=svnserve exe=/usr/bin/svnserve subj=system_u:system_r:svnserve_t:s0 key=(null) 
type=AVC msg=audit(08/14/2017 18:31:52.759:301) : avc:  denied  { open } for  pid=18182 comm=svnserve path=/var/log/svnserve/svnserve.log dev="vda2" ino=630343 scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 
type=AVC msg=audit(08/14/2017 18:31:52.759:301) : avc:  denied  { create } for  pid=18182 comm=svnserve name=svnserve.log scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 
type=AVC msg=audit(08/14/2017 18:31:52.759:301) : avc:  denied  { add_name } for  pid=18182 comm=svnserve name=svnserve.log scontext=system_u:system_r:svnserve_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(08/14/2017 18:31:52.759:301) : avc:  denied  { write } for  pid=18182 comm=svnserve name=svnserve dev="vda2" ino=625659 scontext=system_u:system_r:svnserve_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir permissive=1 
----

Comment 8 errata-xmlrpc 2018-04-10 08:38:21 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.