Bug 150983 - SELinux blocks mysql log rotation
SELinux blocks mysql log rotation
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-13 08:14 EST by Steve Snyder
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-15 11:59:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steve Snyder 2005-03-13 08:14:18 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20050227 Fedora/1.7.5-4.icc

Description of problem:
Sunday morning I reveived an e-mail indicating a logrotate failure,
but no indication of which log file(s) failed to rotate.  Then I found
this at the bottom of the previous week's system log:

Mar 13 03:04:36 nemesis kernel: audit(1110701076.354:0): avc:  denied
 { associate } for  pid=4774 exe=/usr/sbin/logrotate
name=logrotate.mT7HIX scontext=system_u:object_r:mysqld_log_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem

Note that I do not use mysql, so have done no configuration of it
beyond that which is done by simply installing it onto my system.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.52.1

How reproducible:
Didn't try

Steps to Reproduce:
1.Install RHEL with "[*] Everything" package selection.
2.Keep the default Targeted SELinux policy.
3.Wait until the following Sunday when the logs are rotated.
    

Actual Results:  SELinux refused to rotate the mysql log file.


Expected Results:  Assuming no breaking of security contexts, log
files should be rotated without SELinux prohibition.


Additional info:

# getfattr -n security.selinux /var/log/mysqld.log
getfattr: Removing leading '/' from absolute path names
# file: var/log/mysqld.log
security.selinux="system_u:object_r:mysqld_log_t\000"

----------

# ll /var/log/mysqld.log
-rw-r-----  1 mysql mysql 0 Mar  6 07:55 /var/log/mysqld.log

----------

Also, since tmpfs is referenced, I should note that I have /tmp
mounted on a tmpfs file system.  Excerpt from my /etc/fstab:

  none  /tmp  tmpfs  defaults,noatime    0 0

All other log files were rotated correctly, so it seems that having
/tmp on tmpfs is not intrinsically problematic.

----------
Comment 1 Frank Ch. Eigler 2005-03-19 21:31:05 EST
Adding these directives to my domains/misc/local.te file, then
reloading the generated policy, allows logrotate to run.  I'm
pretty sure it's not quite right, but may work for you anyway.

allow logrotate_t tmpfs_t:filesystem { associate };
allow var_log_t tmpfs_t:filesystem { associate };
allow var_t tmpfs_t:filesystem { associate };
Comment 2 Stephen Smalley 2005-03-22 07:47:55 EST
allow logfile tmpfs_t:filesystem associate; would allow all types marked with
the "logfile" attribute to be created in a tmpfs filesystem.
allow file_type tmpfs_t:filesystem associate; would allow all file types to be
created in a tmpfs filesystem.

What is less clear is why logrotate chooses to create in /tmp vs. creating
the temporary file in /var/log itself, as the latter approach would avoid this
problem as well as avoiding the typical risks associated with using files in
/tmp (due to the fact that any process can create files, including malicious
symlinks, there).
Comment 3 Daniel Walsh 2005-03-22 08:16:05 EST
I will add this to policy, but it looks like the requirement for this has been
removed from Rawhide.  logrotate-3.7.1-9 is no longer using a script in /tmp.

Peter are we looking at this for an update release?
Comment 4 Peter Vrabec 2005-03-22 10:38:21 EST
(In reply to comment #3)
> I will add this to policy, but it looks like the requirement for this has been
> removed from Rawhide.  logrotate-3.7.1-9 is no longer using a script in /tmp.
> 
> Peter are we looking at this for an update release?

Do u mean logrotate update for RHEL? I think is good to add this policy into RHEL.
Logrotate will stay using /tmp in RHEL. 
Comment 5 Steve Snyder 2005-04-17 07:53:51 EDT
An update to my original report.  I've been using RHEL4 with targeted-policy for
a month now, and applied all updates as they were released.  In my original
report I stated that I hadn't tried to reproduce the problem.

Every week I get an e-mail reporting logrotation errors, and every week I find
the messages below (except for the date, of course) at the bottom of
/var/log/messages.1.

Apr 17 03:04:04 nemesis kernel: audit(1113721444.679:0): avc:  denied  { setgid
} for  pid=13380 exe=/usr/bin/python capability=6
scontext=system_u:system_r:mailman_mail_t
tcontext=system_u:system_r:mailman_mail_t tclass=capability
Apr 17 03:04:04 nemesis kernel: audit(1113721444.836:0): avc:  denied  {
associate } for  pid=13378 exe=/usr/sbin/logrotate name=logrotate.HH3tfF
scontext=system_u:object_r:mysqld_log_t tcontext=system_u:object_r:tmpfs_t
tclass=filesystem

I do not use either mailman or mysql, so this behavior comes from the default
configurations as installed by the relevant RPMs.
Comment 6 Daniel Walsh 2005-05-12 15:23:19 EDT
Can you change your fstab entry to 

none  /tmp    tmpfs   defaults,noatime,fscontext=system_u:object_r:tmp_t 0 0
Comment 7 Steve Snyder 2005-05-12 19:36:56 EDT
That actually makes the situation worse.  In my original report I note that a
service I don't actually use can't have it's (empty) log rotated.  Your proposed
change prohibits me from making use of software that I do use.

After remounting, I tried to use the Pine mail client and was told that the mail
folder was in use and would be accessed in read-only mode.  Hmmmm...  Looking at
the system log I see this:

May 12 19:22:36 nemesis kernel: audit(1115940156.284:0): avc:  denied  {
associate } for  pid=26203 exe=/usr/bin/pine name=.301.47636
scontext=root:object_r:tmp_t tcontext=system_u:object_r:tmp_t tclass=filesystem
May 12 19:22:36 nemesis pine: Mailbox lock file /tmp/.301.47636 open failure:
Permission denied

Pine is just the first program I tried.  Gaining the ability to rotate mysql.log
files (assuming that this is now possible) at the expense of some/all programs
that create temporary files on /tmp seems like a very poor trade-off.
Comment 8 Daniel Walsh 2005-05-18 14:15:40 EDT
Which policy are you now running.  I have this running in my environment without
any problems.

Dan
Comment 9 Steve Snyder 2005-05-19 06:33:01 EDT
I'm using the same policy as I selected on the initial installation: 

  SELINUX=enforcing
  SELINUXTYPE=targeted

I think SELinux is a serious pain in the ass, and I'm not sure I see the benefit
over traditional Unix permission-based security.  Nevertheless, having installed
it, I'm determine to make it work.  Fortunately my only ongoing problem is with
mysql, a service I don't use.

I don't know if this is helpful, but this is what is logged at boot time:

kernel: SELinux:  Initializing.
kernel: SELinux:  Starting in permissive mode
kernel: SELinux:  Registering netfilter hooks
kernel: SELinux:  Completing initialization.
kernel: SELinux:  Setting up existing superblocks.
kernel: SELinux: initialized (dev hda1, type ext3), uses xattr
kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
kernel: SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
kernel: SELinux: initialized (dev mqueue, type mqueue), not configured for labeling
kernel: SELinux: initialized (dev hugetlbfs, type hugetlbfs), not configured for
labeling
kernel: SELinux: initialized (dev devpts, type devpts), uses transition SIDs
kernel: SELinux: initialized (dev eventpollfs, type eventpollfs), uses
genfs_contexts
kernel: SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
kernel: SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
kernel: SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
kernel: SELinux: initialized (dev proc, type proc), uses genfs_contexts
kernel: SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
kernel: SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
kernel: SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
kernel: SELinux: initialized (dev hda3, type ext3), uses xattr
kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
kernel: SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
kernel: SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses
genfs_contexts
Comment 10 Daniel Walsh 2005-05-19 10:14:59 EDT
Please update to the policy and policycoreutils in 

ftp://people.redhat.com/dwalsh/SELinux/RHEL4/u1/

Most of your problems will be fixed here.  

Dan
Comment 11 Aleksandar Milivojevic 2005-05-30 12:26:25 EDT
I've run into the same problem, and install updated policy and policycoreutils
packages:

selinux-policy-targeted-1.17.30-2.88
policycoreutils-1.18.1-4.3

I also placed this in /etc/rc.sysinit (as suggested in one of the comments in
bug report for /tmp on tmpfs):

[ -n "$SELINUX" ] && restorecon /tmp

However I'm still getting the same error when running logrotate:

kernel: audit(1117469227.472:0): avc:  denied  { associate } for  pid=2799
exe=/usr/sbin/logrotate name=logrotate.GYV05O scontext=system_u:object_r:var_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem

It seems that it is generated during the rotation of /var/account/pacct file.

# ls -Za /tmp
drwxrwxrwt  root     root     system_u:object_r:tmp_t          .
drwxr-xr-x  root     root     system_u:object_r:root_t         ..
drwxrwxrwt  root     root     user_u:object_r:tmp_t            .ICE-unix

# ls -Za /var/account /var/account
drwxr-xr-x  root     root     system_u:object_r:var_t          .
drwxr-xr-x  root     root     system_u:object_r:var_t          ..
-rw-------  root     root     system_u:object_r:var_t          pacct
-rw-------  root     root     system_u:object_r:var_t          pacct.1
-rw-------  root     root     root:object_r:var_t              pacct.2.gz
-rw-------  root     root     root:object_r:var_t              pacct.3.gz
-rw-------  root     root     root:object_r:var_t              pacct.4.gz
[ ... and so on ... ]

The pacct file gets rotated, however postrotate script fails.  This is what gets
printed when running logrotate -vf /etc/logrotate.conf:

running postrotate script
error creating /tmp/logrotate.y93Js1: Permission denied
error: error running postrotate script

I'm using patched /etc/logrotate.d/psacct, as described in one of logrotate's
bug reports (if I remember correctly, the change is commited into CVS, so I
guess it should also be part of U1 or U2):

/var/account/pacct {
    compress
    delaycompress
    notifempty
    daily
    rotate 365
    create 0600 root root
    postrotate
        /usr/sbin/accton /var/account/pacct
    endscript
}

I found in one previous bug report regarding selinux and /tmp on tmpfs advice to
place "allow tmpfile tmpfs_t:filesystem associate;" in local.te and rebuild the
policy.  This helped to sort out some problem with previous version of policy,
but it doesn't seem to make any difference in this case.
Comment 12 Aleksandar Milivojevic 2005-05-30 15:51:19 EDT
Oh, I've just noticed, the output from "logrotate" command and kernel log are
from two different runs of logrotate.  I copy&pasted SELinux log from wrong
messages file.  I also have a line in messages file equivalent to the above
complaining about logrotate.y93Js1.
Comment 13 Daniel Walsh 2005-06-08 09:19:36 EDT
acct.te has been added to selinux-policy-targeted-1.23.18-1.

Note You need to log in before you can comment on or make changes to this bug.