Bug 655728 - SELinux block write acces to /var/log/ for cgrulesengd
Summary: SELinux block write acces to /var/log/ for cgrulesengd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-22 10:10 UTC by Alphonse Steiner
Modified: 2010-12-05 00:38 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.9.7-14.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-05 00:38:00 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Alphonse Steiner 2010-11-22 10:10:13 UTC 
Description of problem:
SELinux blocks write acces to /var/log/ for cgrulesengd.
Here are the audit messages:

node=alphstein type=AVC msg=audit(1290419683.646:25322): avc:  denied  { write } for  pid=4517 comm="cgrulesengd" name="log" dev=dm-1 ino=129512 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir

node=alphstein type=SYSCALL msg=audit(1290419683.646:25322): arch=c000003e syscall=2 success=no exit=-13 a0=7fffb276380d a1=441 a2=1b6 a3=0 items=0 ppid=1 pid=4517 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null)




Steps to Reproduce:
1. Edit /etc/sysconfig/cgred.conf to specify a custom logfile
2. Start cgconfig and cgred service (see bug #655720)
3. Each command '/etc/init.d/cgred restart' will give an SELinux alert.
Comment 1 Miroslav Grepl 2010-11-22 10:37:15 UTC 
cgred uses syslog by default. I could add a new type for a log file and rules but there would need to be a default location for the log file.

So since this is a local customization, you need to add a local policy module using

# grep cgred_t /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 2 Alphonse Steiner 2010-11-22 11:11:26 UTC 
There is a default location for the log file: it is written in /etc/sysconfig/cgred.conf.
I guess I was not clear: I have not made a real customization, I have just uncommented the line. I think that for consistency, this log file must be allowed.
Comment 3 Daniel Walsh 2010-11-22 17:22:51 UTC 
Miroslav I think we should add a type for the log file.

Alphonse what is the name of the log file created.
Comment 4 Miroslav Grepl 2010-11-22 17:45:37 UTC 
(In reply to comment #2)
> There is a default location for the log file: it is written in
> /etc/sysconfig/cgred.conf.
> I guess I was not clear: I have not made a real customization, I have just
> uncommented the line. I think that for consistency, this log file must be
> allowed.

Then also my fault. I have checked the bad config file.
Comment 5 Alphonse Steiner 2010-11-22 18:31:20 UTC 
The default logfile reported in /etc/sysconfig/cgred.conf is "/var/log/cgrulesengd.log"
Comment 6 Miroslav Grepl 2010-12-01 12:16:34 UTC 
Fixed in selinux-policy-3.9.7-14.fc14
Comment 7 Fedora Update System 2010-12-02 08:19:03 UTC 
selinux-policy-3.9.7-14.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-14.fc14
Comment 8 Fedora Update System 2010-12-02 19:14:40 UTC 
selinux-policy-3.9.7-14.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-14.fc14
Comment 9 Fedora Update System 2010-12-05 00:37:04 UTC 
selinux-policy-3.9.7-14.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.