First Last Prev Next    This bug is not in your last search results.
Bug 308981 - openvpn-status.log can't be made writable.
openvpn-status.log can't be made writable.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-27 09:36 EDT by Tomasz Torcz
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: 48
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-06 11:41:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Tomasz Torcz 2007-09-27 09:36:07 EDT 
From SELinux Trobuleshoot:

#v+
Source Context:  	system_u:system_r:openvpn_t
Target Context:  	system_u:object_r:var_log_t
Target Objects:  	/var/log/openvpn-status.log [ file ]
Affected RPM Packages:  	openvpn-2.1-0.19.rc4.fc7 [application]
Policy RPM:  	selinux-policy-2.6.4-42.fc7
Selinux Enabled:  	True
Policy Type:  	targeted
MLS Enabled:  	True
Enforcing Mode:  	Permissive
Plugin Name:  	plugins.mislabeled_file
Host Name:  	s1.crocom.com.pl
Platform:  	Linux s1.crocom.com.pl 2.6.22.5-76.fc7 #1 SMP Thu Aug 30 13:08:59
EDT 2007 x86_64 x86_64
Alert Count:  	55
First Seen:  	Tue Jun 5 14:27:41 2007
Last Seen:  	Thu Sep 27 15:14:55 2007
Local ID:  	c4edc7dc-117d-403d-b953-9f42edab72e5
Line Numbers:  	

Raw Audit Messages :

avc: denied { write } for comm="openvpn" dev=sdb1 egid=99 euid=99
exe="/usr/sbin/openvpn" exit=20 fsgid=99 fsuid=99 gid=99 items=0
name="openvpn-status.log" path="/var/log/openvpn-status.log" pid=1896
scontext=system_u:system_r:openvpn_t:s0 sgid=99
subj=system_u:system_r:openvpn_t:s0 suid=99 tclass=file
tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=99 
#v-

Recommended action is: You can attempt to fix file context by executing
restorecon -v /var/log/openvpn-status.log

But context do not change:
# restorecon -v /var/log/openvpn-status.log
# ls -lZ /var/log/openvpn-status.log
-rw-------  root root system_u:object_r:var_log_t      /var/log/openvpn-status.log
Comment 1 Daniel Walsh 2007-10-09 16:16:39 EDT 
Strange in rawhide these log files are being written to /var/log/openvpn/*
Which is labeled openvn_log_t which the domain can write to.

If you change the context of the log file to openvpn_log_t, it should work.

# semanage fcontext -a -t openvpn_log_t /var/log/openvpn-status.log
# restorecon /var/log/openvpn-status.log

Is this a standard openvpn package from fedora?

I will add context for this in selinux-policy-2.6.4-48.fc7
Comment 2 Tomasz Torcz 2007-10-31 11:00:17 EDT 
# LC_ALL=C semanage fcontext -a -t openvpn_log_t /var/log/openvpn-status.log
libsepol.context_from_record: type openvpn_log_t is not defined
libsepol.context_from_record: could not create context structure
libsemanage.validate_handler: invalid context system_u:object_r:openvpn_log_t:s0
specified for /var/log/openvpn-status.log [all files]
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not add file context for /var/log/openvpn-status.log

# rpm -q openvpn
openvpn-2.1-0.19.rc4.fc7

# rpm -q selinux-policy
selinux-policy-2.6.4-48.fc7
Comment 3 Daniel Walsh 2007-11-01 13:47:49 EDT 
Sorry my mistake.  Should have been openvpn_var_log_t

# semanage fcontext -a -t openvpn_var_log_t /var/log/openvpn-status.log
# restorecon /var/log/openvpn-status.log
Comment 4 Tomasz Torcz 2007-11-06 06:55:33 EST 
It works now. No emails from sealertd since yesterday. Thank you.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.