Summary: SELinux is preventing /usr/sbin/asterisk "write" access on /. Detailed Description: SELinux denied access requested by asterisk. It is not expected that this access is required by asterisk and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects / [ dir ] Source asterisk Source Path /usr/sbin/asterisk Port <Unknown> Host (removed) Source RPM Packages asterisk14-1.4.29-89.fc12 Target RPM Packages filesystem-2.4.30-2.fc12 Policy RPM selinux-policy-3.6.32-99.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux jupiter3.werners.local 2.6.32.9-70.fc12.i686.PAE #1 SMP Wed Mar 3 04:57:21 UTC 2010 i686 i686 Alert Count 1 First Seen Sun 14 Mar 2010 03:09:02 AM CDT Last Seen Sun 14 Mar 2010 03:09:02 AM CDT Local ID 9d595674-f5ce-4529-b215-c21b93cac308 Line Numbers Raw Audit Messages node=jupiter3.werners.local type=AVC msg=audit(1268554142.167:34267): avc: denied { write } for pid=22242 comm="asterisk" name="/" dev=sda3 ino=2 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir node=jupiter3.werners.local type=SYSCALL msg=audit(1268554142.167:34267): arch=40000003 syscall=5 success=no exit=-13 a0=bf99564c a1=241 a2=1b6 a3=811c3ee items=0 ppid=22241 pid=22242 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=28 comm="asterisk" exe="/usr/sbin/asterisk" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,asterisk,logrotate_t,root_t,dir,write audit2allow suggests: #============= logrotate_t ============== #!!!! The source type 'logrotate_t' can write to a 'dir' of the following types: # acct_data_t, var_spool_t, var_lib_t, abrt_var_cache_t, var_log_t, mailman_log_t, asterisk_var_lib_t, varnishlog_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, named_cache_t allow logrotate_t root_t:dir write;
Do you have logrotate watching content in /? This looks like logrotate is leaking an open file descriptor to asterisk
hello Jerry, do you have any logrotate configuration file for asterisk in /etc/logrotate.d ? if so, can you post it, please?
The file, dated 2009-08-25 09:32, is: /var/log/asterisk/messages /var/log/asterisk/event_log /var/log/asterisk/queue_log { missingok notifempty create 0640 asterisk asterisk sharedscripts postrotate /usr/sbin/asterisk -rx 'logger reload' >/dev/null 2>/dev/null || true endscript }
Jerry, thanks for the file now we see that logrotate runs /usr/sbin/asterisk in its "postrotate" script and that is why we see /usr/sbin/asterisk in "logrotate_t" context in the error message shouldn't there be a transition rule "if logrotate runs asterisk, run it in asterisk context and not logrotate_t context"? reassigning to selinux-policy
Miroslav, F13 has optional_policy(` asterisk_domtrans(logrotate_t) ') Instead of optional_policy(` asterisk_exec(logrotate_t) asterisk_stream_connect(logrotate_t) asterisk_manage_lib_files(logrotate_t) ')
Fixed in selinux-policy-3.6.32-104.fc12
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.