fedora-selinux March 2011 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: logrotate accessing /root avc messages

Re: logrotate accessing /root avc messages

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Thu Mar 24 2011 - 18:16:47 GMT
To: Luciano Furtado <lrfurtado@yahoo.com.br>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/24/2011 02:08 PM, Luciano Furtado wrote:
> Hey Guys,
>
>
> Any ideas why logrotate is trying to access /root as shown by the avc
> message bellow:
>
> lrfurtado:~# ausearch -ts today
> ----
> time->Thu Mar 24 06:25:45 2011
> type=SYSCALL msg=audit(1300947945.464:26): arch=40000003 syscall=5
> success=no exit=-13 a0=88404c0 a1=8000 a2=0 a3=8000 items=0 ppid=13192
> pid=13193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate"
> exe="/usr/sbin/logrotate"
> subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1300947945.464:26): avc: denied { search } for
> pid=13193 comm="logrotate" name="root" dev=xvda ino=401409
> scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir
>
>
>
> is this the issue described here :
>
> https://bugzilla.redhat.com/show_bug.cgi?id=471463
>
> For now I have added :
>
> allow logrotate_t unconfined_home_dir_t:dir search;
>
> to my local module to shut up the avc messages. IS there any to stop
> logrotate from generating those AVC messages other then adding the allow
> rule above?
>
>
> Best Regards.
> Luciano
>
- --
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

If you are using a standard Fedora selinux policy package the /root
directory should be labeled admin_home_t not user_home_dir_t?

rpm -q selinux-policy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2Lio8ACgkQrlYvE4MpobO4hgCgx3Etw9RsRERMeKHy/CrQrIHF
mt0AoM+XNjWz1Gi2RS9xudq3sGJI7Vjt
=u2L5
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux