Bug 236855 – LSPP: aide can't write its log file

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 236855 - LSPP: aide can't write its log file

Summary:	LSPP: aide can't write its log file

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	aide (Show other bugs)
Sub Component:
Version:	5.0
Hardware:	All Linux

Priority	medium Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Steve Conklin
QA Contact:	Tom Kincaid
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	RHEL5LSPPCertTracker
	Show dependency tree / graph

Reported:	2007-04-17 20:47 EDT by George C. Wilson
Modified:	2007-11-30 17:07 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	RHSA-2007-0539
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-09-04 10:03:02 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Adds /var/log/aide to spec file. (671 bytes, patch) 2007-04-17 21:08 EDT, George C. Wilson	no flags	Details \| Diff
Sets aide log file path to /var/log/aide/aide.log (324 bytes, patch) 2007-04-17 21:10 EDT, George C. Wilson	no flags	Details \| Diff
*Adds /var/log/aide and /var/log/aide/. aide_t:SystemHigh fcontexts** (626 bytes, patch) 2007-04-17 21:12 EDT, George C. Wilson	no flags	Details \| Diff
*Adds /var/log/aide and /var/log/aide/. aide_t:SystemHigh fcontexts** (1.10 KB, patch) 2007-04-18 09:22 EDT, George C. Wilson	no flags	Details \| Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0539	normal	SHIPPED_LIVE	Moderate: aide security update	2007-09-04 10:02:57 EDT

Groups: None (edit)

Description George C. Wilson 2007-04-17 20:47:24 EDT

Description of problem:

The aide utility cannot write /var/log/aide.log. It attempts to create it at
SystemHigh. But it causes a constraint violations because the /var/log/is
ranged. It either needs an MLS override or its own SystemHigh /var/log/aide
directory. After discussion, the later solution seems preferable.

Version-Release number of selected component (if applicable):

aide-0.12-8.el5

How reproducible:

run aide --init

Steps to Reproduce:
1. Install the LSPP evaluated configuration
2. run aide --init
3. See the message complaining that aide cannot open /var/log/aide.log
4. audit2why < /var/log/audit/audit.log
5. See that it is a constraint violation
  
Actual results:

Couldn't open file /var/lib/aide/aide.db.new.gz for writing

Expected results:

aide should initialize its database and writes its log file without complaint.

Additional info:

Comment 1 George C. Wilson 2007-04-17 21:08:05 EDT

Created attachment 152866 [details]
Adds /var/log/aide to spec file.

LSPP-specific aide configuration seems to be done outside the build tree. This
patch is directly against SPECS/aide.spec. Built but not tested.

Comment 2 George C. Wilson 2007-04-17 21:10:12 EDT

Created attachment 152867 [details]
Sets aide log file path to /var/log/aide/aide.log

LSPP-specific aide configuration seems to be done outside the build tree. This
patch is directly against SOURCES/aide.conf. Built but not tested.

Comment 3 George C. Wilson 2007-04-17 21:12:00 EDT

Created attachment 152868 [details]
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts

Built but not tested.

Comment 5 George C. Wilson 2007-04-18 09:22:11 EDT

Created attachment 152901 [details]
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts

Tested previous patch and updated it. aide requires additional TE perms as
well. aide with the above 2 patches seems to work well with this patch.

Comment 6 Steve Grubb 2007-04-18 17:53:57 EDT

aide-0.12-9 was built. I think we still need selinux-policy package built.

Comment 7 Daniel Walsh 2007-04-18 22:35:59 EDT

Fixed in Selinus-policy- 2.4.6-60

Comment 8 Steve Grubb 2007-04-19 09:20:39 EDT

Ok, looks like we are ready for re-test. Thanks.

Comment 9 George C. Wilson 2007-04-19 16:26:32 EDT

Thanks for making the changes. The aide package looks OK. The -60 policy adds
the file contexts but not the additional TE perms in my 2nd attempt at the
patch. So I still have to add a module with allow aide_t aide_log_t:dir {
add_name write }; to permit aide to create its log file. I think we'll need that
allow rule or an interface that provides the same permissions.

Comment 10 George C. Wilson 2007-04-20 20:12:52 EDT

This looks good with the 62 policy.

Comment 15 Red Hat Bugzilla 2007-09-04 10:03:02 EDT

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0539.html

Note You need to log in before you can comment on or make changes to this bug.