Bug 885411 - SELinux is preventing /usr/sbin/logrotate from read access on the directory z-push.
SELinux is preventing /usr/sbin/logrotate from read access on the directory z...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-09 03:00 EST by Matěj Cepl
Modified: 2013-10-24 13:19 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-24 13:19:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2012-12-09 03:00:18 EST
z-push (http://z-push.sourceforge.net/) is a server providing protocols of Microsoft Exchange Active Sync for some open source platforms (namely, Zarafa). It is distributed in rpmfusion.

SELinux is preventing /usr/sbin/logrotate from read access on the directory z-push.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that logrotate should be allowed read access on the z-push directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:httpd_sys_rw_content_t:s0
Target Objects                z-push [ dir ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          luther
Source RPM Packages           logrotate-3.7.8-15.el6.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-185.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     luther
Platform                      Linux luther 2.6.32-279.14.1.el6.i686 #1 SMP Mon
                              Oct 15 13:43:38 EDT 2012 i686 i686
Alert Count                   1
First Seen                    Sat Dec  8 04:01:20 2012
Last Seen                     Sat Dec  8 04:01:20 2012
Local ID                      46589906-20ce-49f4-a608-c18faabf3228

Raw Audit Messages
type=AVC msg=audit(1354935680.102:607): avc:  denied  { read } for  pid=14983 comm="logrotate" name="z-push" dev=dm-0 ino=1838986 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir


type=SYSCALL msg=audit(1354935680.102:607): arch=i386 syscall=open success=no exit=EACCES a0=bf855bd0 a1=98800 a2=ee7ff4 a3=0 items=0 ppid=14981 pid=14983 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=43 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Hash: logrotate,logrotate_t,httpd_sys_rw_content_t,dir,read

audit2allow

#============= logrotate_t ==============
allow logrotate_t httpd_sys_rw_content_t:dir read;

audit2allow -R

#============= logrotate_t ==============
allow logrotate_t httpd_sys_rw_content_t:dir read;
Comment 1 Robert Scheck 2012-12-09 06:59:30 EST
Duplicate of RHBZ #873885
Comment 2 Miroslav Grepl 2012-12-10 04:50:35 EST
Yes we labeled it as httpd_log_t which would fix this issue. But then there was a problem with httpd+write to this log file instead of append.
Comment 3 Fedora End Of Life 2013-04-03 15:33:29 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 4 Lukas Vrabec 2013-10-24 13:19:27 EDT
$ audit2allow -i avc 


#============= logrotate_t ==============

#!!!! This avc is allowed in the current policy
allow logrotate_t httpd_sys_rw_content_t:dir read;

Note You need to log in before you can comment on or make changes to this bug.