This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 717505 - SELinux is preventing /usr/sbin/logrotate from 'read' accesses on the directory /var/spool/cron.
SELinux is preventing /usr/sbin/logrotate from 'read' accesses on the directo...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: cronie (Show other bugs)
15
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Marcela Mašláňová
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:4c71c6fd055...
:
: 717506 717507 717557 717766 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-28 23:28 EDT by cyrushmh
Modified: 2011-07-04 14:58 EDT (History)
12 users (show)

See Also:
Fixed In Version: cronie-1.4.8-2.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-04 14:58:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description cyrushmh 2011-06-28 23:28:03 EDT
SELinux is preventing /usr/sbin/logrotate from 'read' accesses on the directory /var/spool/cron.

*****  Plugin catchall (50.5 confidence) suggests  ***************************

If you believe that logrotate should be allowed read access on the cron directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

*****  Plugin leaks (50.5 confidence) suggests  ******************************

If you want to ignore logrotate trying to read access the cron directory, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/sbin/logrotate /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:cron_spool_t:s0
Target Objects                /var/spool/cron [ dir ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <未知>
Host                          (removed)
Source RPM Packages           logrotate-3.7.9-11.fc15
Target RPM Packages           cronie-1.4.8-1.fc15
Policy RPM                    selinux-policy-3.9.16-30.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    2011年06月29日 星期三 11时27分02秒
Last Seen                     2011年06月29日 星期三 11时27分02秒
Local ID                      288ef501-6147-45f0-b46e-5b21b3dec678

Raw Audit Messages
type=AVC msg=audit(1309318022.108:68): avc:  denied  { read } for  pid=13325 comm="logrotate" path="/var/spool/cron" dev=sda6 ino=2492311 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir


type=AVC msg=audit(1309318022.108:68): avc:  denied  { read } for  pid=13325 comm="logrotate" path="/etc/cron.d" dev=sda6 ino=3016152 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir


type=AVC msg=audit(1309318022.108:68): avc:  denied  { read } for  pid=13325 comm="logrotate" path="/etc/crontab" dev=sda6 ino=3016242 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file


type=SYSCALL msg=audit(1309318022.108:68): arch=x86_64 syscall=execve success=yes exit=0 a0=20a61a0 a1=20a50a0 a2=20a4ac0 a3=7fff93fc81d0 items=0 ppid=13323 pid=13325 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Hash: logrotate,logrotate_t,cron_spool_t,dir,read

audit2allow

#============= logrotate_t ==============
allow logrotate_t cron_spool_t:dir read;
allow logrotate_t system_cron_spool_t:dir read;
allow logrotate_t system_cron_spool_t:file read;

audit2allow -R

#============= logrotate_t ==============
allow logrotate_t cron_spool_t:dir read;
allow logrotate_t system_cron_spool_t:dir read;
allow logrotate_t system_cron_spool_t:file read;
Comment 1 Miroslav Grepl 2011-06-29 04:08:30 EDT
Looks like cron is leaking.
Comment 2 Miroslav Grepl 2011-06-29 04:09:30 EDT
*** Bug 717506 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2011-06-29 04:09:40 EDT
*** Bug 717507 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2011-06-29 04:45:23 EDT
*** Bug 717557 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2011-06-29 09:03:52 EDT
cronie-1.4.8-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/cronie-1.4.8-2.fc15
Comment 6 Fedora Update System 2011-06-29 18:01:51 EDT
Package cronie-1.4.8-2.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing cronie-1.4.8-2.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/cronie-1.4.8-2.fc15
then log in and leave karma (feedback).
Comment 7 Daniel Walsh 2011-06-29 19:57:24 EDT
*** Bug 717766 has been marked as a duplicate of this bug. ***
Comment 8 Fedora Update System 2011-07-04 14:58:11 EDT
cronie-1.4.8-2.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.