771609 – SELinux is preventing logcheck from writing in /var/lib/logcheck

Bug 771609 - SELinux is preventing logcheck from writing in /var/lib/logcheck

Summary: SELinux is preventing logcheck from writing in /var/lib/logcheck

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	logcheck
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthias Runge
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	768805
TreeView+	depends on / blocked

Reported:	2012-01-04 10:11 UTC by Matthias Runge
Modified:	2012-01-16 21:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:	logcheck-1.3.14-5.fc16
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-01-05 08:22:53 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
audit.log filterd by denied (4.16 KB, application/octet-stream) 2012-01-04 11:41 UTC, Matthias Runge	no flags	Details
Please add this patch to your spec file to make sure the directories you are creating are created with the correct label. (630 bytes, patch) 2012-01-04 16:24 UTC, Daniel Walsh	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Matthias Runge 2012-01-04 10:11:08 UTC

logcheck is a program, which scans through log files, mailing unusual activity.

It needs to write in /var/lib/logcheck. I think, the following rules should go into selinux-policy: Installing this rule makes logcheck to work for me, where selinux prevented it from running.



module local 1.0;

require {
	type logwatch_mail_t;
	type semanage_t;
	type security_t;
	type logwatch_t;
	type setfiles_t;
	type var_lib_t;
	class process { siginh noatsecure rlimitinh };
	class dir { write add_name };
	class file { read write create open };
}

#============= logwatch_t ==============
allow logwatch_t logwatch_mail_t:process { siginh rlimitinh noatsecure };

allow logwatch_t security_t:file read;

allow logwatch_t var_lib_t:dir { write add_name };

allow logwatch_t var_lib_t:file create;
#!!!! The source type 'logwatch_t' can write to a 'file' of the following types:
# logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t

allow logwatch_t var_lib_t:file { write read open };



Thanks!

Comment 1 Miroslav Grepl 2012-01-04 11:18:47 UTC

This should work.

$ matchpathcon /var/lib/logcheck
/var/lib/logcheck	system_u:object_r:logwatch_cache_t:s0

What does this command show you? Or did you re-create this directory?

You will need to run

$ restorecon -R -v /var/lib/logcheck

Comment 2 Matthias Runge 2012-01-04 11:28:52 UTC

Indeed, this is shown. I didn't re-create this dir.

Still selinux prevents logcheck from running correctly. I found it necessary to run all of the above rules.

Comment 3 Miroslav Grepl 2012-01-04 11:31:40 UTC

Could you attach AVC msgs which were needed for your local policy?

Comment 4 Matthias Runge 2012-01-04 11:41:55 UTC

Created attachment 550662 [details]
audit.log filterd by denied

Comment 5 Matthias Runge 2012-01-04 11:43:49 UTC

off course!

I had to switch on logging all messages, so this log is some lengthy.

Comment 6 Daniel Walsh 2012-01-04 16:11:33 UTC

If all of these files are in /var/lib/logcheck, then who ever is creating this directory(most likely an init script) is creating it with the wrong label.

Probably needs to run restorecon after the creation.

Comment 7 Daniel Walsh 2012-01-04 16:23:51 UTC

It looks like these libraries are being created in the post install script.  They should be executing restorecon.

Comment 8 Daniel Walsh 2012-01-04 16:24:41 UTC

Created attachment 550721 [details]
Please add this patch to your spec file to make sure the directories you are creating are created with the correct label.

Comment 9 Matthias Runge 2012-01-05 08:22:53 UTC

Oh, great! This fixes this issue for me. Thanks to both of you!

Comment 10 Daniel Walsh 2012-01-05 15:11:56 UTC

Are you going to push a fixed version of logcheck?

Comment 11 Fedora Update System 2012-01-05 17:37:36 UTC

logcheck-1.3.14-5.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/logcheck-1.3.14-5.fc16

Comment 12 Matthias Runge 2012-01-05 17:38:16 UTC

I already did that, but forgot to reference this bug number in the update. Thank you for the heads up.

Comment 13 Fedora Update System 2012-01-16 21:21:53 UTC

logcheck-1.3.14-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.