Summary: SELinux is preventing logrotate (logrotate_t) "write" to /etc/rc.d/init.d (etc_t). Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux is preventing logrotate (logrotate_t) "write" to /etc/rc.d/init.d (etc_t). The SELinux type etc_t, is a generic type for all files in the directory and very few processes (SELinux Domains) are allowed to write to this SELinux type. This type of denial usual indicates a mislabeled file. By default a file created in a directory has the gets the context of the parent directory, but SELinux policy has rules about the creation of directories, that say if a process running in one SELinux Domain (D1) creates a file in a directory with a particular SELinux File Context (F1) the file gets a different File Context (F2). The policy usually allows the SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for some reason a file (/etc/rc.d/init.d) was created with the wrong context, this domain will be denied. The usual solution to this problem is to reset the file context on the target file, restorecon -v '/etc/rc.d/init.d'. If the file context does not change from etc_t, then this is probably a bug in policy. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy package. If it does change, you can try your application again to see if it works. The file context could have been mislabeled by editing the file or moving the file from a different directory, if the file keeps getting mislabeled, check the init scripts to see if they are doing something to mislabel the file. Allowing Access: You can attempt to fix file context by executing restorecon -v '/etc/rc.d/init.d' Fix Command: restorecon '/etc/rc.d/init.d' Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/rc.d/init.d [ dir ] Source logrotate Source Path /usr/sbin/logrotate Port <Unknown> Host (removed) Source RPM Packages logrotate-3.7.8-2.fc11 Target RPM Packages chkconfig-1.3.42-1 Policy RPM selinux-policy-3.6.12-82.fc11 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name mislabeled_file Host Name (removed) Platform Linux (removed) 2.6.30.5-43.fc11.i586 #1 SMP Thu Aug 27 21:18:54 EDT 2009 i686 i686 Alert Count 4 First Seen Sun 27 Sep 2009 03:28:15 AM JST Last Seen Sun 27 Sep 2009 03:28:15 AM JST Local ID 16929598-28bf-4fa9-a33b-3109e7eb1873 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1253989695.552:48074): avc: denied { write } for pid=23251 comm="logrotate" name="init.d" dev=dm-0 ino=13762629 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1253989695.552:48074): avc: denied { remove_name } for pid=23251 comm="logrotate" name="ovirt-host-register" dev=dm-0 ino=13764889 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1253989695.552:48074): avc: denied { rename } for pid=23251 comm="logrotate" name="ovirt-host-register" dev=dm-0 ino=13764889 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file node=(removed) type=AVC msg=audit(1253989695.552:48074): avc: denied { add_name } for pid=23251 comm="logrotate" name="ovirt-host-register-20090927" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1253989695.552:48074): arch=40000003 syscall=38 success=yes exit=0 a0=82ea720 a1=82f1550 a2=82ea678 a3=0 items=0 ppid=23249 pid=23251 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3613 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash String generated from mislabeled_file,logrotate,logrotate_t,etc_t,dir,write audit2allow suggests: #============= logrotate_t ============== #!!!! The source type 'logrotate_t' can write to a 'dir' of the following types: # acct_data_t, var_spool_t, var_lib_t, abrt_var_cache_t, var_log_t, mailman_log_t, varnishlog_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, named_cache_t allow logrotate_t etc_t:dir { write remove_name add_name }; allow logrotate_t initrc_exec_t:file rename;
*** Bug 593912 has been marked as a duplicate of this bug. ***
This is an old avc from F11 on an F13 box. Please fully update your machine yum -y update