Bug 477860 - Wrong selinux label for xferlog and rpmpkgs gzipped files
Wrong selinux label for xferlog and rpmpkgs gzipped files
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: logrotate (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Novotny
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-24 07:09 EST by Gianluca Varisco
Modified: 2015-10-25 21:06 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-31 08:31:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gianluca Varisco 2008-12-24 07:09:07 EST
Description of problem:

I executed sectool L3 tests and it reported these warnings:

+--------------------+
Warning: Mislabeled regular file '/var/log/xferlog-20081222.gz' found. Labeled as 'system_u:object_r:var_log_t:s0', should be 'system_u:object_r:xferlog_t:s0'.

Warning: Mislabeled regular file '/var/log/xferlog-20081223.gz' found. Labeled as 'system_u:object_r:var_log_t:s0', should be 'system_u:object_r:xferlog_t:s0'.

Warning: Mislabeled regular file '/var/log/xferlog-20081224.gz' found. Labeled as 'system_u:object_r:var_log_t:s0', should be 'system_u:object_r:xferlog_t:s0'.

Warning: Mislabeled regular file '/var/log/rpmpkgs-20081221.gz' found. Labeled as 'system_u:object_r:var_log_t:s0', should be 'system_u:object_r:cron_log_t:s0'.
+--------------------+

Wouldn't be better to have all these gzipped files (generated by logrotate) labeled as 'system_u:object_r:xferlog_t' (xferlog) and 'system_u:object_r:cron_log_t' (rpmpkgs)?


Version-Release number of selected component (if applicable):

selinux-policy-3.5.13-34.fc10.noarch
sectool-0.9.1-3.i386
Comment 1 Daniel Walsh 2008-12-27 06:59:38 EST
Actually the labeling might be wrong on these files since the confined domains really should not be able to write to these compressed files any longer they should be just labeled var_log_t.  But then again perhaps this would allow  a confined domain to read these files where before they were not allowed.  How do you get logrotate to create these compressed files?


We probably need to make logrote SELinux aware to get the behaviour you suggest.  It would need to call matchpathcon and find out the proper label of the file it is creating and then create the file with the right context.
Comment 2 Gianluca Varisco 2008-12-28 05:02:31 EST
(In reply to comment #1)
> Actually the labeling might be wrong on these files since the confined domains
> really should not be able to write to these compressed files any longer they
> should be just labeled var_log_t.  But then again perhaps this would allow  a
> confined domain to read these files where before they were not allowed.  How do
> you get logrotate to create these compressed files?
> 

There is /etc/logrotate.d/proftpd owned by proftpd-1.3.1-6.fc10 that contains these lines:

+-------------------------------------------+
/var/log/proftpd.log /var/log/xferlog {
    compress
    missingok
    notifempty
    sharedscripts
    postrotate
        test -f /var/lock/subsys/proftpd && /usr/bin/killall -HUP proftpd || :
    endscript
}
+-------------------------------------------+

> We probably need to make logrote SELinux aware to get the behaviour you
> suggest.  It would need to call matchpathcon and find out the proper label of
> the file it is creating and then create the file with the right context.

Yeah, that's could be the best solution right now. Let me know if you need me to attach there any other config file or test something.
Comment 3 Gianluca Varisco 2008-12-28 05:06:31 EST
/etc/logrotate.d/rpm is instead owned by rpm-4.6.0-0.rc1.8 and contains:

+------------------------------------------------+
/var/log/rpmpkgs {
    weekly
    notifempty
    missingok
}
+------------------------------------------------+
Comment 4 Daniel Walsh 2009-01-04 12:34:09 EST
logrotate should be maintaining the file context on the files that it rotates and compresses.
Comment 5 Daniel Novotny 2009-02-24 08:24:27 EST
hello Gianluca, I am not able to reproduce the problem: I installed proftpd and created /var/log/xferlog, but the gzipped files from running logrotate have the proper, xferlog_t , context... is there a simple way to reproduce the bug?
Comment 6 Gianluca Varisco 2009-03-08 17:21:42 EDT
Hi Daniel,

I'll try to reproduce the problem in a new F10 system and will let you know the results.
Comment 7 Daniel Novotny 2009-03-27 09:32:39 EDT
hello Gianluca,
bump: is this still a problem now, using latest selinux-policy update?
Comment 8 Gianluca Varisco 2009-03-31 08:22:25 EDT
Daniel,

It seems OK now! compressed files now have all the same file context.

-rw-r-----  root   root    system_u:object_r:var_log_t:s0   proftpd.log
-rw-r-----  root   root    system_u:object_r:var_log_t:s0   proftpd.log-20090329.gz
-rw-r-----  root   root    system_u:object_r:var_log_t:s0   proftpd.log-20090330.gz
-rw-r-----  root   root    system_u:object_r:var_log_t:s0   proftpd.log-20090331.gz

-rw-r--r--  root   root    system_u:object_r:cron_log_t:s0  rpmpkgs
-rw-r--r--  root   root    system_u:object_r:cron_log_t:s0  rpmpkgs-20090315.gz
-rw-r--r--  root   root    system_u:object_r:cron_log_t:s0  rpmpkgs-20090322.gz
-rw-r--r--  root   root    system_u:object_r:cron_log_t:s0  rpmpkgs-20090329.gz


-rw-r--r--  root   root    system_u:object_r:xferlog_t:s0   xferlog
-rw-r--r--  root   root    system_u:object_r:xferlog_t:s0   xferlog-20090329.gz
-rw-r--r--  root   root    system_u:object_r:xferlog_t:s0   xferlog-20090330.gz
-rw-r--r--  root   root    system_u:object_r:xferlog_t:s0   xferlog-20090331.gz

Thanks for your prompt help! ;-)
Comment 9 Daniel Novotny 2009-03-31 08:31:23 EDT
OK, thanks for your report, closing

Note You need to log in before you can comment on or make changes to this bug.