Bug 593913 - SELinux is preventing logrotate (logrotate_t) "write" to /etc/rc.d/init.d (etc_t).
Summary: SELinux is preventing logrotate (logrotate_t) "write" to /etc/rc.d/init.d (et...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:26610ecb9d1...
: 593912 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-20 03:10 UTC by Naoki
Modified: 2010-05-20 11:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-20 11:28:10 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Naoki 2010-05-20 03:10:46 UTC 
Summary:

SELinux is preventing logrotate (logrotate_t) "write" to /etc/rc.d/init.d
(etc_t).

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux is preventing logrotate (logrotate_t) "write" to /etc/rc.d/init.d
(etc_t). The SELinux type etc_t, is a generic type for all files in the
directory and very few processes (SELinux Domains) are allowed to write to this
SELinux type. This type of denial usual indicates a mislabeled file. By default
a file created in a directory has the gets the context of the parent directory,
but SELinux policy has rules about the creation of directories, that say if a
process running in one SELinux Domain (D1) creates a file in a directory with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to write,
unlink, and append on (F2). But if for some reason a file (/etc/rc.d/init.d) was
created with the wrong context, this domain will be denied. The usual solution
to this problem is to reset the file context on the target file, restorecon -v
'/etc/rc.d/init.d'. If the file context does not change from etc_t, then this is
probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file or moving
the file from a different directory, if the file keeps getting mislabeled, check
the init scripts to see if they are doing something to mislabel the file.

Allowing Access:

You can attempt to fix file context by executing restorecon -v
'/etc/rc.d/init.d'

Fix Command:

restorecon '/etc/rc.d/init.d'

Additional Information:

Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:etc_t:s0
Target Objects                /etc/rc.d/init.d [ dir ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           logrotate-3.7.8-2.fc11
Target RPM Packages           chkconfig-1.3.42-1
Policy RPM                    selinux-policy-3.6.12-82.fc11
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   mislabeled_file
Host Name                     (removed)
Platform                      Linux (removed) 2.6.30.5-43.fc11.i586 #1
                              SMP Thu Aug 27 21:18:54 EDT 2009 i686 i686
Alert Count                   4
First Seen                    Sun 27 Sep 2009 03:28:15 AM JST
Last Seen                     Sun 27 Sep 2009 03:28:15 AM JST
Local ID                      16929598-28bf-4fa9-a33b-3109e7eb1873
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1253989695.552:48074): avc:  denied  { write } for  pid=23251 comm="logrotate" name="init.d" dev=dm-0 ino=13762629 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1253989695.552:48074): avc:  denied  { remove_name } for  pid=23251 comm="logrotate" name="ovirt-host-register" dev=dm-0 ino=13764889 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=(removed) type=AVC msg=audit(1253989695.552:48074): avc:  denied  { rename } for  pid=23251 comm="logrotate" name="ovirt-host-register" dev=dm-0 ino=13764889 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1253989695.552:48074): avc:  denied  { add_name } for  pid=23251 comm="logrotate" name="ovirt-host-register-20090927" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1253989695.552:48074): arch=40000003 syscall=38 success=yes exit=0 a0=82ea720 a1=82f1550 a2=82ea678 a3=0 items=0 ppid=23249 pid=23251 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3613 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  mislabeled_file,logrotate,logrotate_t,etc_t,dir,write
audit2allow suggests:

#============= logrotate_t ==============
#!!!! The source type 'logrotate_t' can write to a 'dir' of the following types:
# acct_data_t, var_spool_t, var_lib_t, abrt_var_cache_t, var_log_t, mailman_log_t, varnishlog_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, named_cache_t

allow logrotate_t etc_t:dir { write remove_name add_name };
allow logrotate_t initrc_exec_t:file rename;
Comment 1 Miroslav Grepl 2010-05-20 09:35:30 UTC 
*** Bug 593912 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2010-05-20 11:28:10 UTC 
This is an old avc from F11 on an F13 box.

Please fully update your machine

yum -y update
Note You need to log in before you can comment on or make changes to this bug.