Problems with logwatch, sagator and zope?
Daniel J Walsh
dwalsh at redhat.com
Wed Jul 16 13:59:37 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Thurman wrote:
>
> My logs are reporting many errors, one which appears here:
> Jul 14 20:15:41 bronze setroubleshoot: SELinux is preventing 0logwatch
> (logwatch_t) "read" to sagator (var_log_t). For complete SELinux
> messages. run sealert -l 623798e3-17ec-4751-ae16-e2d92c397e72
>
> .... And more here:
> Jul 14 20:20:06 bronze logrotate: ALERT exited abnormally with [1]
> Jul 14 20:22:02 bronze setroubleshoot: SELinux is preventing updatedb
> (locate_t) "getattr" to /usr/share/sagator (sagator_t). For complete
> SELinux messages. run sealert -l 54affa1b-dd31-4c24-b021-3e5ce8da3fe4
>
> Jul 14 20:27:49 bronze setroubleshoot: SELinux is preventing logrotate
> (logrotate_t) "getattr" to /var/lib/zope/etc/logrotate.conf (var_lib_t).
> For complete SELinux messages. run sealert -l
> 0851295f-58e7-43d8-940c-614514dcfdad
>
> =================================================================
> # sealert -l 623798e3-17ec-4751-ae16-e2d92c397e72
> ==========================================
> Summary:
>
> SELinux is preventing 0logwatch (logwatch_t) "read" to sagator (var_log_t).
>
> Detailed Description:
>
> SELinux denied access requested by 0logwatch. It is not expected that this
> access is required by 0logwatch and this access may signal an intrusion
> attempt.
> It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for sagator,
>
> restorecon -v 'sagator'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:logwatch_t:s0
> Target Context system_u:object_r:var_log_t:s0
> Target Objects sagator [ lnk_file ]
> Source 0logwatch
> Source Path /usr/bin/perl
> Port <Unknown>
> Host bronze.cdkkt.com
> Source RPM Packages perl-5.10.0-30.fc9
> Target RPM Packages Policy RPM
> selinux-policy-3.3.1-74.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name bronze.cdkkt.com
> Platform Linux bronze.cdkkt.com
> 2.6.25.9-76.fc9.i686 #1 SMP
> Fri Jun 27 16:14:35 EDT 2008 i686 i686
> Alert Count 8
> First Seen Mon Jul 14 20:15:41 2008
> Last Seen Mon Jul 14 20:15:41 2008
> Local ID 623798e3-17ec-4751-ae16-e2d92c397e72
> Line Numbers
> Raw Audit Messages
> host=bronze.cdkkt.com type=AVC msg=audit(1216091741.414:1543): avc:
> denied { read } for pid=19074 comm="0logwatch" name="sagator" dev=sda6
> ino=86871 scontext=system_u:system_r:logwatch_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
>
> host=bronze.cdkkt.com type=SYSCALL msg=audit(1216091741.414:1543):
> arch=40000003 syscall=5 success=no exit=-13 a0=bf87c1c8 a1=98800
> a2=8a67e30 a3=bf87c1c8 items=0 ppid=15038 pid=19074 auid=4294967295
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="0logwatch" exe="/usr/bin/perl"
> subj=system_u:system_r:logwatch_t:s0 key=(null)
>
> =================================================================
> # sealert -l 0851295f-58e7-43d8-940c-614514dcfdad
> # ls -lZ /var/lib/zope/etc/logrotate.conf
> -rw-r--r-- root zope system_u:object_r:var_lib_t:s0
> /var/lib/zope/etc/logrotate.conf
> ==========================================
> Summary:
>
> SELinux is preventing logrotate (logrotate_t) "getattr" to
> /var/lib/zope/etc/logrotate.conf (var_lib_t).
>
> Detailed Description:
>
> SELinux denied access requested by logrotate. It is not expected that this
> access is required by logrotate and this access may signal an intrusion
> attempt.
> It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try to
> restore
> the default system file context for /var/lib/zope/etc/logrotate.conf,
>
> restorecon -v '/var/lib/zope/etc/logrotate.conf'
>
> If this does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this access -
> see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:logrotate_t:s0
> Target Context system_u:object_r:var_lib_t:s0
> Target Objects /var/lib/zope/etc/logrotate.conf [ file ]
> Source logrotate
> Source Path /usr/sbin/logrotate
> Port <Unknown>
> Host bronze.cdkkt.com
> Source RPM Packages logrotate-3.7.6-5.fc9
> Target RPM Packages compat-zope-2.10.5-3.lvn9
> Policy RPM selinux-policy-3.3.1-74.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name bronze.cdkkt.com
> Platform Linux bronze.cdkkt.com
> 2.6.25.9-76.fc9.i686 #1 SMP
> Fri Jun 27 16:14:35 EDT 2008 i686 i686
> Alert Count 1
> First Seen Mon Jul 14 20:27:49 2008
> Last Seen Mon Jul 14 20:27:49 2008
> Local ID 0851295f-58e7-43d8-940c-614514dcfdad
> Line Numbers
> Raw Audit Messages
> host=bronze.cdkkt.com type=AVC msg=audit(1216092469.664:1690): avc:
> denied { getattr } for pid=6689 comm="logrotate"
> path="/var/lib/zope/etc/logrotate.conf" dev=sda6 ino=2220768
> scontext=system_u:system_r:logrotate_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>
> host=bronze.cdkkt.com type=SYSCALL msg=audit(1216092469.664:1690):
> arch=40000003 syscall=195 success=no exit=-13 a0=bfb60ec5 a1=bfb5fa2c
> a2=bcbff4 a3=bfb5fac4 items=0 ppid=6687 pid=6689 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="logrotate" exe="/usr/sbin/logrotate"
> subj=system_u:system_r:logrotate_t:s0 key=(null)
> =================================================================
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Open buzilla's on Zope to put their stuff in normal locations.
/var/lib/zope/etc/logrotate.conf jeesh...
CC me on the bugzilla.
You can add these rules using audit2allow
# grep log /var/log/audit/audit.log | myzopeinweirddir.pp
# semodule -i myzopeinweirddir.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkh9/skACgkQrlYvE4MpobOZVgCgsJ/uyGIpEG4kmEPgfASUJlGr
f2QAoNrr8+UyAYv6b3LORpjHEn7quJO4
=bySZ
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list