Logrotate frustration

Arthur Dent misc.lists at blueyonder.co.uk
Mon Dec 14 10:01:07 UTC 2009 

On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
> > On 12/06/2009 04:38 AM, Arthur Dent wrote:
> > > Hello all,
> > > 
> > > Its seems that almost every week logrotate is throwing up a new AVC. I
> > > have an almost vanilla F11 install with most packages installed via yum
> > > and yet I keep getting these. Each time I audit2allow and build a new
> > > policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
> > > there something else I'm lacking?
> > > 
> > > Here is the latest version of my policy:
> > > 
> > > 
> > > ===============8<==================================================
> > > 
> > > module mylogr 11.1.7;
> > > 
> > > require {
> > > 	type mail_spool_t;
> > > 	type logrotate_t;
> > > 	type fail2ban_var_run_t;
> > > 	type initrc_t;
> > > 	type squid_log_t;
> > > 	class dir {read open write remove_name};
> > > 	class file { getattr read write open};
> > > 	class file setattr;
> > > 	class sock_file write;
> > >         class unix_stream_socket connectto;
> > > 	class lnk_file rename;
> > > }
> > > 
> > > #============= logrotate_t ==============
> > > allow logrotate_t mail_spool_t:file { getattr read write open };
> > > allow logrotate_t mail_spool_t:dir { read open write remove_name};
> > > allow logrotate_t mail_spool_t:file setattr;
> > > allow logrotate_t fail2ban_var_run_t:sock_file write;
> > > allow logrotate_t initrc_t:unix_stream_socket connectto;
> > > allow logrotate_t squid_log_t:lnk_file rename;
> > > 
> > > ===============8<==================================================
> > > 
> > > 
> > > This was today's AVC that necessitated the inclusion of the squid stuff:
> > > 
> > > ===============8<==================================================
> > > Raw Audit Messages :
> > > 
> > > node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file 
> > > node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> > > ===============8<==================================================
> > > 
> > > 
> > > 
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
> > 
> > Are you using a custom logrotate to rotate mail_spool?
> > 
> > Why is 
> 
> I think that my problem with mailspool/logrotate is that it relates to
> my mail backup system in which procmail places a copy of every mail (in
> mbox format) onto a separate partition on the same machine. This seemed
> to cause labelling problems and we went round the houses on this issue a
> while back ("Partitions Mounted by fstab" 5 March 2008 -
> https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00030.html)
> 
> Thanks for your help - much appreciated...
> 
> Mark

OK - Following another arm of this thread I have (last week) done a
complete relabel and removed my existing fail2ban and logrotate local
policies.

As a result of yesterday's weekly log rotate squid threw up another
couple of AVCs related to log_lnk (see below).

I have created another local policy but, do I understand you correctly
Daniel that you may include log_lnk in a future targeted policy?

Here is my new logrotate policy:

===============8<==================================================

module mylogr 11.2.2;

require {
        type mail_spool_t;
        type logrotate_t;
	type squid_log_t;
        class file getattr;
	class lnk_file { rename unlink };
}

#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file getattr;
allow logrotate_t squid_log_t:lnk_file { rename unlink };

===============8<==================================================

Is this OK?

Thanks for any help or suggestions...

Mark

p.s.

Logrotate AVCs

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260331775.761:1220): avc: denied { getattr } for pid=31349 comm="logrotate" path="/mnt/backup/mail/rawmail" dev=sda9 ino=2490369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file 
node=troodos.org.uk type=SYSCALL msg=audit(1260331775.761:1220): arch=40000003 syscall=196 success=yes exit=0 a0=9e59668 a1=bfd3e864 a2=bf5ff4 a3=1 items=0 ppid=31347 pid=31349 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=257 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260675470.813:43484): avc: denied { rename } for pid=11490 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file 
node=troodos.org.uk type=SYSCALL msg=audit(1260675470.813:43484): arch=40000003 syscall=38 success=yes exit=0 a0=8295138 a1=8298f98 a2=8295068 a3=0 items=0 ppid=11488 pid=11490 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1554 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260675471.68:43485): avc: denied { unlink } for pid=11490 comm="logrotate" name="squidGuard.log.1" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file 
node=troodos.org.uk type=SYSCALL msg=audit(1260675471.68:43485): arch=40000003 syscall=10 success=yes exit=0 a0=8298f98 a1=bfbeffa8 a2=8298f98 a3=bfbeff70 items=0 ppid=11488 pid=11490 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1554 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091214/aefac767/attachment.sig>

More information about the fedora-selinux-list mailing list