Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.Install logcheck yum install -y logcheck 2. Set permissions on /var/lib/logcheck chown logcheck.logcheck /var/lib/logcheck (possibly another bug as the program will not run unless you do this on my systems) 3. Configure logcheck vi /etc/logcheck/logcheck.conf Change the mail address to <your admin email address> save and exit 4. Run test (I normally do this from root) su -s /bin/bash -c "/usr/sbin/logcheck" logcheck 5. Email report arrives in account [Expected result:] <message headers cut> To: <recipient address> Subject: [logcheck] sensi 2011-12-19 12:28 +1000 System Events Auto-Submitted: auto-generated MIME-Version: 1.0 (mime-construct 1.11) System Events =-=-=-=-=-=-= Dec 18 10:55:44 sensi su: pam_unix(su:session): session closed for user logcheck <remainder of email cut> 6. Wait until the 2 minutes past the hour and you receive when the job is run from the /etc/cron.d/logcheck file: [Actual result] Warning: If you are seeing this message, your log files may not have been checked! Details: Could not run logtail or save output Check temporary directory: /tmp/logcheck.tVVPdw Also verify that the logcheck user can read all files referenced in /etc/logcheck/logcheck.logfiles! declare -x HOME="/var/lib/logcheck" declare -x LOGNAME="logcheck" declare -x MAILTO="root" declare -x OLDPWD declare -x PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" declare -x PWD="/var/lib/logcheck" declare -x SHELL="/bin/sh" declare -x SHLVL="2" declare -x USER="logcheck" Search of the logs shows Dec 18 11:02:05 sensi setroubleshoot: SELinux is preventing /usr/bin/perl from read access on the file offset.var.log.messages. For complete SELinux messages. run sealert -l 619c1e74-d5a4-4e9c-be2d-0a9c9894be27 Dec 18 11:02:05 sensi setroubleshoot: SELinux is preventing /usr/bin/perl from write access on the file offset.var.log.messages. For complete SELinux messages. run sealert -l 2fe0017c-2a20-480a-b546-076b89388903 offset.var.log.messages is located in: /var/lib/logcheck/ context is:ls -laZ /var/lib/logcheck/offset.var.log.messages -rw-------. logcheck logcheck unconfined_u:object_r:logwatch_cache_t:s0 /var/lib/logcheck/offset.var.log.messages SELinux errors are: SELinux is preventing /usr/bin/perl from open access on the file /var/lib/logcheck/offset.var.log.messages. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow perl to have open access on the offset.var.log.messages file Then you need to change the label on /var/lib/logcheck/offset.var.log.messages Do # semanage fcontext -a -t FILE_TYPE '/var/lib/logcheck/offset.var.log.messages' where FILE_TYPE is one of the following: rpm_script_tmp_t, hostname_exec_t, samba_var_t, initrc_var_run_t, etc_runtime_t, net_conf_t, net_conf_t, ld_so_cache_t, anon_inodefs_t, sysctl_kernel_t, logwatch_t, named_zone_t, named_conf_t, abrt_var_run_t, sysctl_fs_t, bin_t, cert_t, cert_t, lib_t, sysctl_crypto_t, locale_t, usr_t, etc_t, etc_t, proc_t, sysfs_t, ifconfig_exec_t, sssd_public_t, logfile, logwatch_exec_t, logwatch_lock_t, system_conf_t, ntpd_exec_t, httpd_log_t, logwatch_var_run_t, abrt_t, samba_share_t, lib_t, krb5_conf_t, shell_exec_t, ld_so_t, sysctl_net_t, sysfs_t, abrt_helper_exec_t, logwatch_cache_t, logwatch_tmp_t, textrel_shlib_t, proc_net_t, domain, samba_log_t, mta_exec_type. Then execute: restorecon -v '/var/lib/logcheck/offset.var.log.messages' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that perl should be allowed open access on the offset.var.log.messages file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep logtail2 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional info: This is consistent across all 6 servers running FC16. Versions logcheck.noarch 1.3.14-4.fc16 selinux-policy-targeted.noarch 3.10.0-64.fc16 # ls -l /var/log total 21076 drwxr-xr-x. 2 root root 4096 Dec 7 18:59 anaconda drwxr-x---. 2 root root 4096 Dec 7 20:14 audit drwxr-xr-x. 2 root named 4096 Dec 10 10:57 bind -rw-r--r--. 1 root root 0 Dec 18 03:17 boot.log -rw-r--r--. 1 root root 6553 Dec 10 09:05 boot.log-20111211 -rw-r--r--. 1 root root 7163 Dec 17 02:57 boot.log-20111218 -rw-------. 1 root utmp 1920 Dec 18 11:40 btmp drwxr-xr-x. 2 chrony chrony 4096 Sep 7 01:29 chrony drwxr-xr-x. 2 root root 4096 Dec 7 20:14 ConsoleKit -rw-r--r--. 1 root root 21069 Dec 19 12:02 cron -rw-r--r--. 1 root root 39823 Dec 11 03:46 cron-20111211 -rw-r--r--. 1 root root 118341 Dec 18 03:17 cron-20111218 -r--------. 1 root root 0 Dec 15 03:34 dracut.log -r--------. 1 root root 199378 Dec 7 19:58 dracut.log-20111207 -r--------. 1 root root 99763 Dec 14 21:31 dracut.log-20111215 -rw-r--r--. 1 root root 61 Dec 16 05:51 firewalld drwxrwx--T. 2 root gdm 4096 Dec 17 02:58 gdm drwx------. 2 root root 4096 Sep 13 22:27 httpd -rw-r--r--. 1 root root 0 Dec 10 08:13 kadmind.log -rw-r--r--. 1 root root 292876 Dec 19 12:36 lastlog drwxr-xr-x. 2 root root 4096 Dec 14 21:27 mail -rw-r-----. 1 root root 185308 Dec 19 12:29 maillog -rw-------. 1 root root 44726 Dec 11 03:41 maillog-20111211 -rw-------. 1 root root 630147 Dec 18 03:17 maillog-20111218 -rw-r-----. 1 root root 507502 Dec 19 12:48 messages -rw-------. 1 root root 1054544 Dec 11 03:46 messages-20111211 -rw-------. 1 root root 18190439 Dec 18 03:17 messages-20111218 drwxr-xr-x. 2 ntp ntp 4096 Oct 7 01:38 ntpstats -rw-r--r--. 1 root root 0 Dec 17 02:58 pm-powersave.log drwx------. 2 root root 4096 Jun 2 2011 ppp drwxr-xr-x. 2 root root 4096 Dec 7 20:24 prelink drwx------. 3 root root 4096 Nov 7 22:42 samba -rw-r--r--. 1 root root 0 Dec 8 04:10 sa-update.log -rw-r-----. 1 root root 8677 Dec 19 12:36 secure -rw-------. 1 root root 18883 Dec 10 21:26 secure-20111211 -rw-------. 1 root root 49628 Dec 17 19:31 secure-20111218 drwxr-xr-x. 2 root root 4096 Dec 18 03:17 setroubleshoot drwx------. 2 root root 4096 Jul 27 05:53 speech-dispatcher -rw-------. 1 root root 0 Dec 18 03:17 spooler -rw-------. 1 root root 0 Dec 7 18:50 spooler-20111211 -rw-------. 1 root root 0 Dec 11 03:46 spooler-20111218 drwxr-x---. 2 root root 4096 Nov 5 02:35 sssd -rw-------. 1 root root 0 Dec 7 18:47 tallylog -rw-rw-r--. 1 root utmp 87936 Dec 19 12:36 wtmp -rw-r--r--. 1 root root 27704 Dec 17 02:58 Xorg.0.log -rw-r--r--. 1 root root 28311 Dec 17 12:49 Xorg.0.log.old -rw-r--r--. 1 root root 28310 Dec 7 19:17 Xorg.9.log -rw-------. 1 root root 25870 Dec 18 22:09 yum.log #grep root /etc/group root:x:0:sync,shutdown,root,operator,logwatch,halt,logcheck # grep logcheck /etc/passwd logcheck:x:991:985:Logcheck user:/var/lib/logcheck:/sbin/nologin
If you disable selinux, the scheduled job runs and reports. To: <recipient address> Subject: [logcheck] sensi 2011-12-19 13:02 +1000 System Events Auto-Submitted: auto-generated MIME-Version: 1.0 (mime-construct 1.11) System Events =-=-=-=-=-=-= Dec 19 12:29:18 sensi systemd-logind[819]: Removed session c7. Dec 19 12:29:18 sensi su: pam_unix(su:session): session closed for user logcheck
OK, I'll have a look on this. I changed my /etc/logrotate.d/syslog file [root@mrungexp ~]# cat /etc/logrotate.d/syslog /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron { sharedscripts create 0640 root adm postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } *create 0640 root adm* makes logfiles created as root and grouped in adm. logcheck shall not be run as root for security reasons.
After leaving it run for 24 hours I re-enabled SELinux. The scheduled report runs fine. I will examine the context and try this "fix" on another of the systems and post the results.
Contexts results between two systems: Erroring # ls -laZ /var/lib/logcheck/ drwxr-xr-x. logcheck logcheck system_u:object_r:var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. -rw-------. logcheck logcheck system_u:object_r:var_lib_t:s0 offset.var.log.messages -rw-------. logcheck logcheck system_u:object_r:var_lib_t:s0 offset.var.log.secure Working # ls -laZ /var/lib/logcheck/ drwxr-xr-x. logcheck logcheck unconfined_u:object_r:var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. -rw-------. logcheck logcheck unconfined_u:object_r:var_lib_t:s0 offset.var.log.messages -rw-------. logcheck logcheck unconfined_u:object_r:var_lib_t:s0 offset.var.log.secure SELinux message is still the same on the failing system. ]# sealert -l fb6618ea-bee9-4d5e-9394-93569ac3bd70 SELinux is preventing /usr/bin/perl from write access on the file /var/lib/logcheck/offset.var.log.messages. ***** Plugin restorecon (94.8 confidence) suggests ************************* If you want to fix the label. /var/lib/logcheck/offset.var.log.messages default label should be logwatch_cache_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/lib/logcheck/offset.var.log.messages ***** Plugin catchall_labels (5.21 confidence) suggests ******************** If you want to allow perl to have write access on the offset.var.log.messages file Then you need to change the label on /var/lib/logcheck/offset.var.log.messages Do # semanage fcontext -a -t FILE_TYPE '/var/lib/logcheck/offset.var.log.messages' where FILE_TYPE is one of the following: logwatch_t, logwatch_lock_t, logwatch_var_run_t, afs_cache_t, user_cron_spool_t, logwatch_cache_t, logwatch_tmp_t. Then execute: restorecon -v '/var/lib/logcheck/offset.var.log.messages' ***** Plugin catchall (1.44 confidence) suggests *************************** If you believe that perl should be allowed write access on the offset.var.log.messages file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep logtail2 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
This policy module allows logcheck to run as a cron job. module logtail 1.0; require { type logwatch_t; type var_lib_t; class file { read write ioctl open }; } #============= logwatch_t ============== allow logwatch_t var_lib_t:file open; #!!!! This avc is allowed in the current policy allow logwatch_t var_lib_t:file { read write }; This has to be done after logcheck is installed and the logcheck.conffile modified. The ownership of the /var/log/secure & /var/log/message files are changed to root.adm and chmod g+r is also run against the files. I also had to go and change the ownership of the var/lib/logcheck directory and create a var/run/logcheck directory. I have added this policy to two machines and both are now working.
Update: Full process to enable the cron jobs following the install: # vi /etc/logrotate.d/syslog modify file to be /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron { sharedscripts create 0640 root adm postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } # chown root.adm /var/log/messages /var/log/secure # chmod g+r /var/log/messages /var/log/secure # chown logcheck.logcheck /var/lib/logcheck # vi logtail.te Add the following module logtail 1.0; require { type logwatch_t; type var_lib_t; class file { read write ioctl open }; } #============= logwatch_t ============== allow logwatch_t var_lib_t:file open; #!!!! This avc is allowed in the current policy allow logwatch_t var_lib_t:file { read write }; :wq Compile the module # checkmodule -M -m -o logtail.mod logtail.te Create the package # semodule_package -o logtail.pp -m logtail.mod Install the package # semodule -i logtail.pp From this, the following changes are identified to be made in the logcheck or other packages: 1. The ownership and group permissions on the minimum base logcheck.logfile entries needs to be set to root.adm 2. File permissions on /var/log/messages and /var/log/secure should be 0640 3. The logcheck package needs to be modified as follows: - The directory /var/lob/logcheck needs to be created with the ownership of logcheck.logcheck - The selinux context should be set correctly to enable perl to access and run the logcheck process with it's default home directory set to /var/lig/logcheck 4. The fedora specific installation file should be modified to include the changes required for any log file included in the file to have it's permissions modfied as above. 5. The default /etc/logcheck.logfiles should be modified to include the following warning: "If any additional files are added, please ensure that the file permissions are changed to root.adm and 0640" Or someone smart than me can find a better solution.
Thank you for your work on this issue! I really appreciate that! OK, there are (at least two issues, I see here): 1. /var/lib/logcheck and /var/log/logcheck not being created. See 771127. I already prepared a newer version, which will not help you (because logcheck user exists on your systems) 2. /var/log/messages, /var/log/secure should be owned by root:adm and get rights 0640. This can't be handled so easy. Those files don't belong to any package, so I can't file a bug report against any other package. I guess, changing access rights on log files should become a feature for newer fedora versions. 2a) when using rsyslog, it is required to change logrotate in the way described earlier 2b) when using syslog-ng, one should change syslog-ng config file to change access rights of /var/log/messages etc. as described in 2: (snippet from syslog-ng.conf (modified)) destination d_mesg { file("/var/log/messages" owner("root") group("adm") perm(0640) ); }; destination d_auth { file("/var/log/secure" owner("root") group("adm") perm(0640) ); }; Sadly, I can't reproduce your selinux-issues (neither on two different systems, nor on a freshly installed machine; I need another look into this).
logcheck-1.3.14-5.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/logcheck-1.3.14-5.fc16
Package logcheck-1.3.14-5.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing logcheck-1.3.14-5.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0222/logcheck-1.3.14-5.fc16 then log in and leave karma (feedback).
logcheck-1.3.14-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.