avc denied from logrotate

Richard Hally rhallyx at mindspring.com
Sat Jul 10 06:57:57 UTC 2004 

Attached and below is a short /var/log/messages file showing the avc 
denied messages that are generated using the current strict 
policy(selinux-policy-strict-sources-1.14.1-5). Note the messages 
inserted with "logger" that indicate where I switched from enforcing to 
permissive to actually get logrotate to work.
HTH and please let me know if you need additional information.
Richard Hally

[root at new2 root]# cat /home/richard/messages.1
Jul 10 02:39:16 new2 syslogd 1.4.1: restart.
Jul 10 02:39:23 new2 kernel: audit(1089441563.715:0): avc:  granted  { 
setenforce } for  pid=4032 exe=/usr/bin/setenforce 
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t 
tclass=security
Jul 10 02:40:09 new2 kernel: audit(1089441609.750:0): avc:  denied  { 
search } for  pid=4045 exe=/usr/bin/postgres name=pgsql dev=hda2 
ino=722952 scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:postgresql_db_t tclass=dir
Jul 10 02:43:15 new2 richard: that was logrotate in enforcing
Jul 10 02:43:34 new2 richard: now setting permissive
Jul 10 02:43:46 new2 kernel: audit(1089441826.619:0): avc:  granted  { 
setenforce } for  pid=4101 exe=/usr/bin/setenforce 
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t 
tclass=security
Jul 10 02:44:08 new2 richard: now doing logrotate
Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc:  denied  { 
transition } for  pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups 
dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t 
tcontext=root:system_r:initrc_t tclass=process
Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc:  denied  { 
use } for  pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2 
ino=1064669 scontext=root:system_r:consoletype_t 
tcontext=root:sysadm_r:logrotate_t tclass=fd
Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc:  denied  { 
ioctl } for  pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts 
ino=2 scontext=root:system_r:cupsd_t 
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc:  denied  { 
getattr } for  pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts 
ino=2 scontext=root:system_r:cupsd_t 
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc:  denied  { 
read } for  pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311 
scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t 
tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc:  denied  { 
getattr } for  pid=4121 exe=/bin/bash path=/root/.bashrc dev=hda2 
ino=130311 scontext=root:system_r:cupsd_t 
tcontext=root:object_r:staff_home_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc:  denied  { 
search } for  pid=4123 exe=/usr/bin/id name=selinux dev=hda2 ino=913073 
scontext=root:system_r:cupsd_t 
tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc:  denied  { 
read } for  pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871 
scontext=root:system_r:cupsd_t 
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc:  denied  { 
getattr } for  pid=4123 exe=/usr/bin/id path=/etc/selinux/config 
dev=hda2 ino=914871 scontext=root:system_r:cupsd_t 
tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 cups: cupsd startup succeeded

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: messages.1
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040710/89a4d51b/attachment.ksh>

More information about the fedora-selinux-list mailing list