Logrotate frustration
Arthur Dent
misc.lists at blueyonder.co.uk
Mon Dec 14 10:01:07 UTC 2009
On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
> > On 12/06/2009 04:38 AM, Arthur Dent wrote:
> > > Hello all,
> > >
> > > Its seems that almost every week logrotate is throwing up a new AVC. I
> > > have an almost vanilla F11 install with most packages installed via yum
> > > and yet I keep getting these. Each time I audit2allow and build a new
> > > policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
> > > there something else I'm lacking?
> > >
> > > Here is the latest version of my policy:
> > >
> > >
> > > ===============8<==================================================
> > >
> > > module mylogr 11.1.7;
> > >
> > > require {
> > > type mail_spool_t;
> > > type logrotate_t;
> > > type fail2ban_var_run_t;
> > > type initrc_t;
> > > type squid_log_t;
> > > class dir {read open write remove_name};
> > > class file { getattr read write open};
> > > class file setattr;
> > > class sock_file write;
> > > class unix_stream_socket connectto;
> > > class lnk_file rename;
> > > }
> > >
> > > #============= logrotate_t ==============
> > > allow logrotate_t mail_spool_t:file { getattr read write open };
> > > allow logrotate_t mail_spool_t:dir { read open write remove_name};
> > > allow logrotate_t mail_spool_t:file setattr;
> > > allow logrotate_t fail2ban_var_run_t:sock_file write;
> > > allow logrotate_t initrc_t:unix_stream_socket connectto;
> > > allow logrotate_t squid_log_t:lnk_file rename;
> > >
> > > ===============8<==================================================
> > >
> > >
> > > This was today's AVC that necessitated the inclusion of the squid stuff:
> > >
> > > ===============8<==================================================
> > > Raw Audit Messages :
> > >
> > > node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file
> > > node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> > > ===============8<==================================================
> > >
> > >
> > >
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
> >
> > Are you using a custom logrotate to rotate mail_spool?
> >
> > Why is
>
> I think that my problem with mailspool/logrotate is that it relates to
> my mail backup system in which procmail places a copy of every mail (in
> mbox format) onto a separate partition on the same machine. This seemed
> to cause labelling problems and we went round the houses on this issue a
> while back ("Partitions Mounted by fstab" 5 March 2008 -
> https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00030.html)
>
> Thanks for your help - much appreciated...
>
> Mark
OK - Following another arm of this thread I have (last week) done a
complete relabel and removed my existing fail2ban and logrotate local
policies.
As a result of yesterday's weekly log rotate squid threw up another
couple of AVCs related to log_lnk (see below).
I have created another local policy but, do I understand you correctly
Daniel that you may include log_lnk in a future targeted policy?
Here is my new logrotate policy:
===============8<==================================================
module mylogr 11.2.2;
require {
type mail_spool_t;
type logrotate_t;
type squid_log_t;
class file getattr;
class lnk_file { rename unlink };
}
#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file getattr;
allow logrotate_t squid_log_t:lnk_file { rename unlink };
===============8<==================================================
Is this OK?
Thanks for any help or suggestions...
Mark
p.s.
Logrotate AVCs
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1260331775.761:1220): avc: denied { getattr } for pid=31349 comm="logrotate" path="/mnt/backup/mail/rawmail" dev=sda9 ino=2490369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1260331775.761:1220): arch=40000003 syscall=196 success=yes exit=0 a0=9e59668 a1=bfd3e864 a2=bf5ff4 a3=1 items=0 ppid=31347 pid=31349 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=257 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1260675470.813:43484): avc: denied { rename } for pid=11490 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file
node=troodos.org.uk type=SYSCALL msg=audit(1260675470.813:43484): arch=40000003 syscall=38 success=yes exit=0 a0=8295138 a1=8298f98 a2=8295068 a3=0 items=0 ppid=11488 pid=11490 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1554 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1260675471.68:43485): avc: denied { unlink } for pid=11490 comm="logrotate" name="squidGuard.log.1" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file
node=troodos.org.uk type=SYSCALL msg=audit(1260675471.68:43485): arch=40000003 syscall=10 success=yes exit=0 a0=8298f98 a1=bfbeffa8 a2=8298f98 a3=bfbeff70 items=0 ppid=11488 pid=11490 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1554 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091214/aefac767/attachment.sig>
More information about the fedora-selinux-list
mailing list