Bug 492848 – SELinux is preventing logrotate (logrotate_t) "getattr" to /var/named/data/named.run (named_cache_t)

Bug 492848 - SELinux is preventing logrotate (logrotate_t) "getattr" to /var/named/data/named.run (named_cache_t)

Summary:	SELinux is preventing logrotate (logrotate_t) "getattr" to /var/named/data/na...

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	10
Hardware:	x86_64 Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	493265 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2009-03-30 07:53 EDT by Joseph D. Wagner
Modified:	2009-11-18 08:00 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2009-11-18 08:00:36 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Joseph D. Wagner 2009-03-30 07:53:03 EDT

Neither the restorecon in the report nor a complete filesystem relabeling have resolved the issue.

Summary:

SELinux is preventing logrotate (logrotate_t) "getattr" to
/var/named/data/named.run (named_cache_t).

Detailed Description:

SELinux denied access requested by logrotate. It is not expected that this
access is required by logrotate and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/named/data/named.run,

restorecon -v '/var/named/data/named.run'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:named_cache_t:s0
Target Objects                /var/named/data/named.run [ file ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           logrotate-3.7.7-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-49.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.27.19-170.2.35.fc10.x86_64 #1 SMP Mon Feb 23
                              13:00:23 EST 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 30 Mar 2009 04:10:31 AM PDT
Last Seen                     Mon 30 Mar 2009 04:10:31 AM PDT
Local ID                      3672e7dc-9990-4094-9061-c2170b701875
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1238411431.953:296): avc:  denied  { getattr } for  pid=25343 comm="logrotate" path="/var/named/data/named.run" dev=sdb5 ino=506279 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:named_cache_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1238411431.953:296): arch=c000003e syscall=4 success=no exit=-13 a0=1f72250 a1=7fff191a9d50 a2=7fff191a9d50 a3=14 items=0 ppid=25341 pid=25343 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=37 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Novotny 2009-03-30 08:11:54 EDT

logrotate_t needs access to /var/named/data/named.run in order to rotate it

(see named.logrotate config file in the "bind" package)

reassigning to selinux-policy

Comment 2 Daniel Walsh 2009-03-30 10:21:31 EDT

Miroslav add

optional_policy(`
	bind_manage_cache(logrotate_t)
')

Comment 3 Miroslav Grepl 2009-03-30 12:25:26 EDT

Fixed in selinux-policy-3.5.13-54.fc10

Comment 4 Daniel Novotny 2009-04-01 05:22:01 EDT

*** Bug 493265 has been marked as a duplicate of this bug. ***

Comment 5 Göran Uddeborg 2009-05-12 05:29:02 EDT

I'm using selinux-policy-3.5.13-57.fc10 but I still keep getting these errors.  Is it just me, or does it fail for others too?

Comment 6 Miroslav Grepl 2009-05-12 05:40:19 EDT

Please put a output of the command:

rpm -q selinux-policy-targeted

Comment 7 Göran Uddeborg 2009-05-12 05:46:34 EDT

Aha, that was selinux-policy-targeted-3.5.13-40.fc10!  I had only updated the base package.  I'll give it a new try.  (Seems I'll get 3.5.13-58.fc10 this time, but I do get both selinux-policy and selinux-policy-targeted.)

Thanks for the pointer!

Comment 8 Bug Zapper 2009-11-18 07:48:27 EST

This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 9 Daniel Walsh 2009-11-18 08:00:36 EST

Closing as current release

Note You need to log in before you can comment on or make changes to this bug.