Hide Forgot
Description of problem: I believe that the problem manifests itself on various log files, not just zarafa* ones Version-Release number of selected component (if applicable): selinux-policy-doc-3.7.19-143.el6.noarch selinux-policy-3.7.19-143.el6.noarch selinux-policy-mls-3.7.19-143.el6.noarch selinux-policy-minimum-3.7.19-143.el6.noarch selinux-policy-targeted-3.7.19-143.el6.noarch How reproducible: always Actual results: # matchpathcon /var/log/zarafa/* /var/log/zarafa/gateway.log system_u:object_r:zarafa_gateway_log_t:s0 /var/log/zarafa/gateway.log-20120318.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/gateway.log-20120326.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/gateway.log-20120401 system_u:object_r:var_log_t:s0 /var/log/zarafa/ical.log system_u:object_r:zarafa_ical_log_t:s0 /var/log/zarafa/ical.log-20120318.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/ical.log-20120326.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/ical.log-20120401 system_u:object_r:var_log_t:s0 /var/log/zarafa/indexer.log system_u:object_r:zarafa_indexer_log_t:s0 /var/log/zarafa/indexer.log-20120318.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/indexer.log-20120326.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/indexer.log-20120401 system_u:object_r:var_log_t:s0 /var/log/zarafa/monitor.log system_u:object_r:zarafa_monitor_log_t:s0 /var/log/zarafa/monitor.log-20120318.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/monitor.log-20120326.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/monitor.log-20120401 system_u:object_r:var_log_t:s0 /var/log/zarafa/server.log system_u:object_r:zarafa_server_log_t:s0 /var/log/zarafa/server.log-20120318.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/server.log-20120326.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/server.log-20120401 system_u:object_r:var_log_t:s0 /var/log/zarafa/spooler.log system_u:object_r:zarafa_spooler_log_t:s0 /var/log/zarafa/spooler.log-20120318.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/spooler.log-20120326.gz system_u:object_r:var_log_t:s0 /var/log/zarafa/spooler.log-20120401 system_u:object_r:var_log_t:s0 # Expected results: * each file that was processed by logrotate should be labelled the same way as before it was processed by logrotate
Quick grep exercise gave me following results: /var/log/(x)?inetd\.log -- system_u:object_r:inetd_log_t:s0 /var/log/lastlog -- system_u:object_r:lastlog_t:s0 /var/log/faillog -- system_u:object_r:faillog_t:s0 /var/log/radutmp -- system_u:object_r:radiusd_log_t:s0 /var/log/wicd\.log -- system_u:object_r:NetworkManager_log_t:s0 /var/log/tallylog -- system_u:object_r:faillog_t:s0 /var/log/aide\.log -- system_u:object_r:aide_log_t:s0 /var/log/iwhd\.log -- system_u:object_r:iwhd_log_t:s0 /var/log/log\.ctdb -- system_u:object_r:ctdbd_log_t:s0 /var/log/xend\.log -- system_u:object_r:xend_var_log_t:s0 /var/log/audit\.log -- system_u:object_r:auditd_log_t:s0 /var/log/pluto\.log -- system_u:object_r:ipsec_log_t:s0 /var/log/rsync\.log -- system_u:object_r:rsync_log_t:s0 /var/log/snmpd\.log -- system_u:object_r:snmpd_log_t:s0 /var/log/spamd\.log -- system_u:object_r:spamd_log_t:s0 /var/log/tuned\.log -- system_u:object_r:tuned_log_t:s0 /var/log/pyzord\.log -- system_u:object_r:pyzord_log_t:s0 /var/log/mimedefang -- system_u:object_r:spamd_log_t:s0 /var/log/sendmail\.st -- system_u:object_r:sendmail_log_t:s0 /var/log/prelink\.log -- system_u:object_r:prelink_log_t:s0 /var/log/abrt-logger -- system_u:object_r:abrt_var_log_t:s0 /var/log/amavisd\.log -- system_u:object_r:amavis_var_log_t:s0 /var/log/clumond\.log -- system_u:object_r:ricci_modcluster_var_log_t:s0 /var/log/sectool\.log -- system_u:object_r:sectool_var_log_t:s0 /var/log/evtchnd\.log -- system_u:object_r:evtchnd_var_log_t:s0 /var/log/fail2ban\.log -- system_u:object_r:fail2ban_log_t:s0 /var/log/brcm-iscsi\.log -- system_u:object_r:iscsi_log_t:s0 /var/log/xend-debug\.log -- system_u:object_r:xend_var_log_t:s0 /var/log/cgrulesengd\.log -- system_u:object_r:cgred_log_t:s0 /var/log/razor-agent\.log -- system_u:object_r:spamd_log_t:s0 /var/log/xen-hotplug\.log -- system_u:object_r:xend_var_log_t:s0 /var/log/zarafa/ical\.log -- system_u:object_r:zarafa_ical_log_t:s0 /var/log/zarafa/server\.log -- system_u:object_r:zarafa_server_log_t:s0 /var/log/spice-vdagentd\.log -- system_u:object_r:vdagent_log_t:s0 /var/log/zarafa/gateway\.log -- system_u:object_r:zarafa_gateway_log_t:s0 /var/log/zarafa/indexer\.log -- system_u:object_r:zarafa_indexer_log_t:s0 /var/log/zarafa/monitor\.log -- system_u:object_r:zarafa_monitor_log_t:s0 /var/log/zarafa/spooler\.log -- system_u:object_r:zarafa_spooler_log_t:s0 /var/log/cluster/aisexec\.log -- system_u:object_r:aisexec_var_log_t:s0 /var/log/cluster/corosync\.log -- system_u:object_r:corosync_var_log_t:s0 /var/log/cluster/rgmanager\.log -- system_u:object_r:rgmanager_var_log_t:s0
Well these log files are created by logrotate. SO you are saying to have /var/log/zarafa/server.log system_u:object_r:zarafa_server_log_t:s0 /var/log/zarafa/server.log-20120318.gz system_u:object_r:var_log_t:s0 with the same label? If I am right, no way how to do it. Also I believe it does not cause any issues?
It depends how logrotate is configured, but usually logrotate renames the existing file and new file is created by the program which produces the log messages. Important thing is that logrotate keeps the label untouched. So these log files are labelled correctly until somebody runs "restorecon -R /var/log". Once somebody does that restorecon screws up the labelling. Because restorecon changes labels to var_log_t. Here are 2 definitions which I believe are correct. No matter what is appended to the filename the file will always be labelled correctly. /var/log/cluster/dlm_controld\.log.* -- system_u:object_r:dlm_controld_var_log_t:s0 /var/log/cluster/gfs_controld\.log.* -- system_u:object_r:gfs_controld_var_log_t:s0 Basically my idea is: if the path pattern ends with "\.log" we should modify it to "\.log.*".
That seems reasonable to me.
Yes, now it makes sense also for me.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
We added fixes to Fedora. Will backport.
Fixed in selinux-policy-3.7.19-182.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html