Description of problem: Another part of my setroubleshoot log SELinux is preventing tmpwatch (tmpreaper_t) "read" to (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: None [ dir ]Affected RPM Packages: Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 3First Seen: Pá 12. říjen 2007, 10:45:45 CESTLast Seen: Út 16. říjen 2007, 11:28:52 CESTLocal ID: 2eddd4bc-5c9b-463b-81f2-341990ecfd43Line Numbers: Raw Audit Messages :avc: denied { read } for comm=tmpwatch dev=sda2 name=kismet pid=16519 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 ---------------------------------------------------- SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/log (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: /var/log [ dir ]Affected RPM Packages: tmpwatch-2.9.11-1 [application]filesystem-2.4.11-1.fc8 [target]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 5First Seen: Čt 11. říjen 2007, 20:19:38 CESTLast Seen: Út 16. říjen 2007, 11:28:52 CESTLocal ID: bdc377b3-3f56-427e-91c6-598954a23c68Line Numbers: Raw Audit Messages :avc: denied { getattr } for comm=tmpwatch dev=sda2 egid=0 euid=0 exe=/usr/sbin/tmpwatch exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/var/log pid=16519 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0 ----------------------------------- SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "setattr" to (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: None [ dir ]Affected RPM Packages: tmpwatch-2.9.11-1 [application]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 4First Seen: Čt 11. říjen 2007, 20:19:38 CESTLast Seen: Út 16. říjen 2007, 11:28:52 CESTLocal ID: 1a80e5cd-ac19-4430-b851-837ee5b21ab0Line Numbers: Raw Audit Messages :avc: denied { setattr } for comm=tmpwatch dev=sda2 egid=0 euid=0 exe=/usr/sbin/tmpwatch exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=kismet pid=16519 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0 ---------------------------------------- SummarySELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "search" to (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: None [ dir ]Affected RPM Packages: tmpwatch-2.9.11-1 [application]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-5.fc8 #1 SMP Wed Oct 10 19:25:16 EDT 2007 x86_64 x86_64Alert Count: 3First Seen: Pá 12. říjen 2007, 10:45:45 CESTLast Seen: Po 15. říjen 2007, 10:42:47 CESTLocal ID: 6e07d6fc-aecb-4d0c-99ed-136ace7e5c6dLine Numbers: Raw Audit Messages :avc: denied { search } for comm=tmpwatch dev=sda2 egid=0 euid=0 exe=/usr/sbin/tmpwatch exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=log pid=20441 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0 subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0 ------------------------------------ Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Why is tmpreaper reading /var/log? Is this normal behavior?
Hi With Tomas Mraz we have probably concluded it might be eventually result of the package 'kismet' - thought I'm not sure as I'm not yet skilled enought in selinux - just reporting policy errors I can see.
How come this is using tmpwatch and not logwatch to watch log files?
[I assume you mean 'logrotate' but not 'logwatch'] kismet creates a new logfile set per session; rotating does not make sense there because this would rename files only but would not clean them up.
In that case why not /var/run/kismet? We can add a label to the directory that kismet creates the log files in to allow tmpreaper to remove them. But I want to make sure that is the right thing to do. I would also like to get policy on kismet period. Especially since it claims to be a security package and it is potentially vulnerable to random network packets that it is collecting.
Hmm as I can see now in my todays log - I got that one again - however now I'm not sure what I was running at this time :( But it is possible it is somehow connected with 'yum update' btw my yum.log-20071015 has the time 10:36 here is the message: SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /var/log (var_log_t). Source Context: system_u:system_r:tmpreaper_t:s0Target Context: system_u:object_r:var_log_t:s0Target Objects: /var/log [ dir ]Affected RPM Packages: filesystem-2.4.11-1.fc8 [target]Policy RPM: selinux-policy-3.0.8-22.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: dhcp-lab-228.englab.brq.redhat.comPlatform: Linux dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert Count: 1First Seen: Čt 18. říjen 2007, 10:22:18 CESTLast Seen: Čt 18. říjen 2007, 10:22:18 CESTLocal ID: cfae21d2-8501-475a-b24c-a42f28ac70b0Line Numbers: Raw Audit Messages :avc: denied { getattr } for comm=tmpwatch dev=sda2 path=/var/log pid=4260 scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir tcontext=system_u:object_r:var_log_t:s0 btw I've some more messages for my vmware running with my localhost nfs. I'll make another report.
kismet creates logfiles which might be for interest after a reboot (which empties /var/run). Hence, /var/log/kismet seems to be a perfect choice for the logs. There should not be much difference for SELinux: just put the named label to /var/log/kismet instead of /var/run/kismet.
Ok I added kismet policy. It will need some work. Please test it out and report back the avc's selinux-policy-3.0.8-25