Bug 380331 - logwatch "disk space" can't access all mounted filesystems
logwatch "disk space" can't access all mounted filesystems
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-13 11:27 EST by Bernd Bartmann
Modified: 2007-12-08 07:34 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-08 07:34:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
testing script (4.96 KB, text/plain)
2007-11-16 06:49 EST, Ivana Varekova
no flags Details
audit.log file (1006.10 KB, text/plain)
2007-11-20 13:29 EST, Bernd Bartmann
no flags Details

  None (edit)
Description Bernd Bartmann 2007-11-13 11:27:41 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.8.1.8) Gecko/20071030 Fedora/2.0.0.8-2.fc8 Firefox/2.0.0.8

Description of problem:
On my F8 system I get these message block in the emails from logwatch:

 --------------------- Disk Space Begin ------------------------ 

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda5              14G  6.3G  7.0G  48% /
 /dev/sda1             981M   46M  886M   5% /boot
 df: `/usr/src/vmware': Permission denied
 
 df: `/usr/src/vmware': Permission denied
 
 ---------------------- Disk Space End ------------------------- 

So there is a problem getting the disk space information for /usr/src/vmware, but every local user should be able to access /usr/src/vmware:

[bart@riker ~]$ ls -l /usr/src/
insgesamt 32
drwxr-xr-x  4 root root 4096 12. Nov 15:58 kernels
drwxr-xr-x  3 root root 4096  9. Nov 20:47 local
drwxr-xr-x  7 root root 4096  9. Nov 21:22 redhat
drwxr-xr-x 12 bart bart 4096 15. Apr 2007  vmware



Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. no idea
2.
3.

Actual Results:


Expected Results:


Additional info:
Comment 1 Ivana Varekova 2007-11-15 09:49:16 EST
Could you please attach here the result of command:
df -h -l -x tmpfs
Comment 2 Bernd Bartmann 2007-11-15 15:26:48 EST
[root@riker ~]# df -h -l -x tmpfs
Dateisystem          Größe Benut  Verf Ben% Eingehängt auf
/dev/sda5              14G  6,3G  6,9G  48% /
/dev/sda1             981M   46M  886M   5% /boot
/dev/sda7              69G   51G   15G  78% /usr/src/vmware
Comment 3 Ivana Varekova 2007-11-16 06:49:33 EST
Created attachment 261041 [details]
testing script

Could you please substitute your file
/usr/share/logwatch/scripts/services/zz-disk_space 
with attached one. And put here the output of command:
logwatch --print --service zz-disk_space.
Comment 4 Bernd Bartmann 2007-11-16 13:31:45 EST
Looks much better with your new script:


 ################### Logwatch 7.3.6 (05/19/07) #################### 
        Processing Initiated: Fri Nov 16 19:31:08 2007
        Date Range Processed: yesterday
                              ( 2007-Nov-15 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: riker.ncc1701d
  ################################################################## 
 
 --------------------- Disk Space Begin ------------------------ 

 the used command is: df -h -l -x tmpfs
  
 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda5              14G  6.3G  6.9G  48% /
 /dev/sda1             981M   46M  886M   5% /boot
 /dev/sda7              69G   51G   15G  78% /usr/src/vmware
 
  finished 
 
 ---------------------- Disk Space End ------------------------- 

 
 ###################### Logwatch End ######################### 
Comment 5 Bernd Bartmann 2007-11-16 14:32:35 EST
Hmm, running from anacron it still doesn't work: 

--------------------- Disk Space Begin ------------------------ 

 the used command is: df -h -l -x tmpfs
  
 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda5              14G  6.3G  6.9G  48% /
 /dev/sda1             981M   46M  886M   5% /boot
 df: `/usr/src/vmware': Permission denied
 
  finished 
 df: `/usr/src/vmware': Permission denied
 
 ---------------------- Disk Space End ------------------------- 
Comment 6 Marcela Mašláňová 2007-11-19 06:52:35 EST
Hello,
do you have selinux targeted? Please try to run anacron with setenforce 0 and
let me know.
Regards,
Marcela (anacron maintainer)
Comment 7 Bernd Bartmann 2007-11-19 11:54:27 EST
Yes, selinux targeted is set to enforcing mode by default. After setenforce 0
everything is ok:

--------------------- Disk Space Begin ------------------------ 

 the used command is: df -h -l -x tmpfs
  
 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda5              14G  6.3G  7.0G  48% /
 /dev/sda1             981M   46M  886M   5% /boot
 /dev/sda7              69G   51G   15G  78% /usr/src/vmware
 
  finished 
 
 ---------------------- Disk Space End ------------------------- 

I checked yesterdays logs, but there is no message from selinux indicating there
is a problem during the anacron run.
Comment 8 Ivana Varekova 2007-11-20 03:12:12 EST
This seems to be selinux-policy problem - reasign to selinux. 
Comment 9 Daniel Walsh 2007-11-20 06:47:42 EST
Fixed in selinux-policy-3.0.8-59.fc8

If you execute 
# semodule -DB

You can get all of the AVC Messages that are being dontaudited.

You will probably see one about logwatch searching src_t.

# semodule -B 
Will turn off dontaudits again.
Comment 10 Bernd Bartmann 2007-11-20 12:27:52 EST
Hmm, run 'semodule -DB' directly after power-on. This resulted in:


Nov 20 17:06:42 riker dbus: avc:  received policyload notice (seqno=3)
Nov 20 17:06:44 riker setroubleshoot: #012    SELinux hindert dbus-daemon
(system_dbusd_t) "name_bind" am Zugriff auf <Unknown> (hi_reserved_port_t).#012
    For complete SELinux messages. run sealert -l
f284566b-311b-422a-aa8a-4cf3f4a7502f
Nov 20 17:06:44 riker setroubleshoot: #012    SELinux hindert dbus-daemon
(system_dbusd_t) "name_bind" am Zugriff auf <Unknown> (hi_reserved_port_t).#012
    For complete SELinux messages. run sealert -l
f284566b-311b-422a-aa8a-4cf3f4a7502f
Nov 20 17:06:44 riker setroubleshoot: [program.ERROR] Can not handle AVC'S
related to dispatcher. exiting#012setroubleshoot
context=system_u:system_r:setroubleshootd_t:s0, AVC
scontext=system_u:system_r:setroubleshootd_t:s0
Nov 20 17:06:44 riker setroubleshoot: #012    SELinux hindert /bin/dbus-daemon
(system_dbusd_t) "name_bind" am Zugriff auf <Unknown> (hi_reserved_port_t).#012
    For complete SELinux messages. run sealert -l
f284566b-311b-422a-aa8a-4cf3f4a7502f

But I got no AVC message for logwatch. The disk space error ist still there:

--------------------- Disk Space Begin ------------------------ 

 the used command is: df -h -l -x tmpfs
  
 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda5              14G  6.3G  7.0G  48% /
 /dev/sda1             981M   46M  886M   5% /boot
 df: `/usr/src/vmware': Permission denied
 
  finished 
 df: `/usr/src/vmware': Permission denied
 
 ---------------------- Disk Space End ------------------------- 

Do I have to update to selinux-policy-3.0.8-59.fc8 just to see the messages?
Comment 11 Daniel Walsh 2007-11-20 13:14:50 EST
Nope bug could you look at /var/log/audit/audit.log Setroubleshoot probably exited.
Comment 12 Bernd Bartmann 2007-11-20 13:29:46 EST
Created attachment 265181 [details]
audit.log file

I've attached my audit.log file for inspection. I don't see anything relvant
there. Why aren't the the timestamps stored in a readable format? It's hard to
search for specific entries at a certain time.
Comment 13 Daniel Walsh 2007-11-20 13:42:16 EST
ausearch -m avc 

would extract all of the avc messages and format the time stamp.

type=AVC msg=audit(1195579341.191:244): avc:  denied  { search } for  pid=5327
comm="df" name="src" dev=sda5 ino=2192355
scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:src_t:s0
tclass=dir

is causing the failure

allow logwatch_t src_t:dir search;

If you added this rule, it should begin to work

# grep src_t /var/log/audit/audit.log | audit2allow -M mylogwatch
# semodule -i mylogwatch.pp
Comment 14 Bernd Bartmann 2007-11-20 13:55:42 EST
Ok, then I'll just wait until selinux-policy-3.0.8-59.fc8 is available as an
update. I don't like creating special rules for my system. Everything should
just work with the default setup.
Comment 15 Bernd Bartmann 2007-12-08 07:34:59 EST
I'm now on selinux-policy-targeted-3.0.8-62.fc8 and the problem is gone. Thanks!

Note You need to log in before you can comment on or make changes to this bug.