PDA

View Full Version : [SOLVED] Fedora 21 SELinux Report



djl47
17th December 2014, 04:54 PM
Not sure what this one is about. There is only the one message.


SELinux is preventing logrotate from read access on the directory /var/cache/dnf.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that logrotate should be allowed read access on the dnf directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context system_u:object_r:rpm_var_cache_t:s0
Target Objects /var/cache/dnf [ dir ]
Source logrotate
Source Path logrotate
Port <Unknown>
Host tesseract
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-99.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name tesseract
Platform Linux tesseract 3.17.6-300.fc21.x86_64 #1 SMP Mon
Dec 8 22:29:32 UTC 2014 x86_64 x86_64
Alert Count 1
First Seen 2014-12-17 03:16:01 PST
Last Seen 2014-12-17 03:16:01 PST
Local ID ed9698ca-90c5-43cc-92ea-6c2c742f9216

Raw Audit Messages
type=AVC msg=audit(1418814961.201:514): avc: denied { read } for pid=6597 comm="logrotate" name="dnf" dev="dm-1" ino=2362486 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0


Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read

beighes
17th December 2014, 05:37 PM
I've been getting the same message. I assumed it is due to running F21 on an ancient (relative term) Dell D600.

djl47
17th December 2014, 06:23 PM
I've been getting the same message. I assumed it is due to running F21 on an ancient (relative term) Dell D600.
My system is a four year old HP G72 laptop (Intel core i3) upgraded to 8GB RAM and an SSD.
From http://linuxcommand.org/man_pages/logrotate8.html -

logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. I'm not sure where dnf fits in and won't have time for more research until I get home from work.

antikythera
17th December 2014, 06:40 PM
There is a fix for this bug on the updates-testing server.

selinux-policy 3.13.1.103.fc21
selinux-policy-targeted 3.13.1.103.fc21

were the files updated on my system.

bugzilla reference:

https://bugzilla.redhat.com/show_bug.cgi?id=1163438

beighes
18th December 2014, 04:02 AM
There is a fix for this bug on the updates-testing server.

selinux-policy 3.13.1.103.fc21
selinux-policy-targeted 3.13.1.103.fc21

were the files updated on my system.

bugzilla reference:

https://bugzilla.redhat.com/show_bug.cgi?id=1163438


So far, so good...........TA!

cadet1811
1st January 2015, 02:27 PM
It's not fixed for me. Selinux-policy-3.13.1-103.fc21 is installed.
.
***** Plugin catchall (1.44 confidence) suggests **************************

If you believe that logrotate should be allowed read write access on the hawkey.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/dnf/x86_64/21/hawkey.log [ file ]
Source logrotate
Source Path logrotate
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.17.7-300.fc21.x86_64
#1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64
Alert Count 1
First Seen 2015-01-01 07:10:01 CST
Last Seen 2015-01-01 07:10:01 CST
Local ID 7c088850-6ea7-4769-b1bc-107fd9b78666

Raw Audit Messages
type=AVC msg=audit(1420117801.811:406): avc: denied { read write } for pid=2613 comm="logrotate" name="hawkey.log" dev="dm-1" ino=1052384 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0


Hash: logrotate,logrotate_t,var_t,file,read,write

I have done the grep/semodule trick every time the alert pops up. But it's still happening?

djl47
2nd January 2015, 04:33 AM
Same module, different resources.

It's not fixed for me. Selinux-policy-3.13.1-103.fc21 is installed.
.
***** Plugin catchall (1.44 confidence) suggests **************************

If you believe that logrotate should be allowed read write access on the hawkey.log file by default.
Then you should report this as a bug.

Original


***** Plugin catchall (100. confidence) suggests **************************

If you believe that logrotate should be allowed read access on the dnf directory by default.
Then you should report this as a bug.

A number of bugs are logged (Consecutive numbers too.)
https://bugzilla.redhat.com/show_bug.cgi?id=1174825 SELinux is preventing logrotate from 'getattr' accesses on the file /var/cache/dnf/x86_64/21/hawkey.log.
https://bugzilla.redhat.com/show_bug.cgi?id=1178002 SELinux is preventing logrotate from 'setattr' accesses on the file /var/cache/dnf/x86_64/21/hawkey.log.
https://bugzilla.redhat.com/show_bug.cgi?id=1178004 SELinux is preventing logrotate from 'add_name' accesses on the directory hawkey.log-20150101.
https://bugzilla.redhat.com/show_bug.cgi?id=1178003 SELinux is preventing logrotate from 'create' accesses on the file hawkey.log.
https://bugzilla.redhat.com/show_bug.cgi?id=1178005 SELinux is preventing logrotate from 'rename' accesses on the file hawkey.log.