fedora-selinux March 2011 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: logrotate accessing /root avc messages

Re: logrotate accessing /root avc messages

From: Dominick Grift <domg472_at_nospam>
Date: Thu Mar 24 2011 - 21:08:45 GMT
To: selinux@lists.fedoraproject.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/24/2011 09:42 PM, Luciano Furtado wrote:
> Hi Daniel,
>
> Sorry I did not mention this earlier. This is a Debian machine. I was
> not aware that they had their own policies.
>
> lrfurtado:~# dpkg -l | grep selinux
> ii libselinux1 2.0.65-5
> SELinux shared libraries
> ii python-selinux 2.0.65-5
> Python bindings to SELinux shared libraries
> ii selinux-basics 0.3.5
> SELinux basic support
> ii selinux-policy-default 2:0.0.20080702-6
> Strict and Targeted variants of the SELinux
> ii selinux-policy-dev 2:0.0.20080702-6
> Headers from the SELinux reference policy fo
> ii selinux-utils 2.0.65-5
> SELinux utility programs
> lrfurtado:~# dpkg -l | grep logrotate
> ii logrotate 3.7.1-5 Log
> rotation utility
> lrfurtado:~# cat /etc/debian_version
> 5.0.7
> lrfurtado:~#
>
> On 11-03-24 14:16, Daniel J Walsh wrote:
>> On 03/24/2011 02:08 PM, Luciano Furtado wrote:
>>> Hey Guys,
>
>
>>> Any ideas why logrotate is trying to access /root as shown by the avc
>>> message bellow:
>
>>> lrfurtado:~# ausearch -ts today
>>> ----
>>> time->Thu Mar 24 06:25:45 2011
>>> type=SYSCALL msg=audit(1300947945.464:26): arch=40000003 syscall=5
>>> success=no exit=-13 a0=88404c0 a1=8000 a2=0 a3=8000 items=0 ppid=13192
>>> pid=13193 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate"
>>> exe="/usr/sbin/logrotate"
>>> subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
>>> type=AVC msg=audit(1300947945.464:26): avc: denied { search } for
>>> pid=13193 comm="logrotate" name="root" dev=xvda ino=401409
>>> scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir

Were you maybe running logrotate manually as root? It may be a "current
pwd" thing.

>
>
>>> is this the issue described here :
>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=471463
>
>>> For now I have added :
>
>>> allow logrotate_t unconfined_home_dir_t:dir search;
>
>>> to my local module to shut up the avc messages. IS there any to stop
>>> logrotate from generating those AVC messages other then adding the allow
>>> rule above?
>
>
>>> Best Regards.
>>> Luciano
>
- --
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2Lst0ACgkQMlxVo39jgT9csgCfbFuqzoWY9zT77VUMo9nCcGGV
nMUAn2A8ZZ+eHsTlUf+u9YOm1SqwcGTv
=xETt
-----END PGP SIGNATURE-----
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux