Red Hat Bugzilla – Bug 885411
SELinux is preventing /usr/sbin/logrotate from read access on the directory z-push.
Last modified: 2013-10-24 13:19:27 EDT
z-push (http://z-push.sourceforge.net/) is a server providing protocols of Microsoft Exchange Active Sync for some open source platforms (namely, Zarafa). It is distributed in rpmfusion. SELinux is preventing /usr/sbin/logrotate from read access on the directory z-push. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that logrotate should be allowed read access on the z-push directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep logrotate /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:httpd_sys_rw_content_t:s0 Target Objects z-push [ dir ] Source logrotate Source Path /usr/sbin/logrotate Port <Unknown> Host luther Source RPM Packages logrotate-3.7.8-15.el6.i686 Target RPM Packages Policy RPM selinux-policy-3.7.19-185.el6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name luther Platform Linux luther 2.6.32-279.14.1.el6.i686 #1 SMP Mon Oct 15 13:43:38 EDT 2012 i686 i686 Alert Count 1 First Seen Sat Dec 8 04:01:20 2012 Last Seen Sat Dec 8 04:01:20 2012 Local ID 46589906-20ce-49f4-a608-c18faabf3228 Raw Audit Messages type=AVC msg=audit(1354935680.102:607): avc: denied { read } for pid=14983 comm="logrotate" name="z-push" dev=dm-0 ino=1838986 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir type=SYSCALL msg=audit(1354935680.102:607): arch=i386 syscall=open success=no exit=EACCES a0=bf855bd0 a1=98800 a2=ee7ff4 a3=0 items=0 ppid=14981 pid=14983 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=43 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash: logrotate,logrotate_t,httpd_sys_rw_content_t,dir,read audit2allow #============= logrotate_t ============== allow logrotate_t httpd_sys_rw_content_t:dir read; audit2allow -R #============= logrotate_t ============== allow logrotate_t httpd_sys_rw_content_t:dir read;
Duplicate of RHBZ #873885
Yes we labeled it as httpd_log_t which would fix this issue. But then there was a problem with httpd+write to this log file instead of append.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
$ audit2allow -i avc #============= logrotate_t ============== #!!!! This avc is allowed in the current policy allow logrotate_t httpd_sys_rw_content_t:dir read;