avc denied from logrotate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Attached and below is a short /var/log/messages file showing the avc denied messages that are generated using the current strict policy(selinux-policy-strict-sources-1.14.1-5). Note the messages inserted with "logger" that indicate where I switched from enforcing to permissive to actually get logrotate to work.
HTH and please let me know if you need additional information.
Richard Hally

[root@new2 root]# cat /home/richard/messages.1
Jul 10 02:39:16 new2 syslogd 1.4.1: restart.
Jul 10 02:39:23 new2 kernel: audit(1089441563.715:0): avc: granted { setenforce } for pid=4032 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security
Jul 10 02:40:09 new2 kernel: audit(1089441609.750:0): avc: denied { search } for pid=4045 exe=/usr/bin/postgres name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir
Jul 10 02:43:15 new2 richard: that was logrotate in enforcing
Jul 10 02:43:34 new2 richard: now setting permissive
Jul 10 02:43:46 new2 kernel: audit(1089441826.619:0): avc: granted { setenforce } for pid=4101 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security
Jul 10 02:44:08 new2 richard: now doing logrotate
Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc: denied { transition } for pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t tcontext=root:system_r:initrc_t tclass=process
Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc: denied { use } for pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2 ino=1064669 scontext=root:system_r:consoletype_t tcontext=root:sysadm_r:logrotate_t tclass=fd
Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc: denied { ioctl } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc: denied { getattr } for pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied { read } for pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc: denied { getattr } for pid=4121 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { search } for pid=4123 exe=/usr/bin/id name=selinux dev=hda2 ino=913073 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { read } for pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc: denied { getattr } for pid=4123 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 cups: cupsd startup succeeded

Jul 10 02:39:16 new2 syslogd 1.4.1: restart.
Jul 10 02:39:23 new2 kernel: audit(1089441563.715:0): avc:  granted  { setenforce } for  pid=4032 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security
Jul 10 02:40:09 new2 kernel: audit(1089441609.750:0): avc:  denied  { search } for  pid=4045 exe=/usr/bin/postgres name=pgsql dev=hda2 ino=722952 scontext=user_u:user_r:user_t tcontext=system_u:object_r:postgresql_db_t tclass=dir
Jul 10 02:43:15 new2 richard: that was logrotate in enforcing
Jul 10 02:43:34 new2 richard: now setting permissive
Jul 10 02:43:46 new2 kernel: audit(1089441826.619:0): avc:  granted  { setenforce } for  pid=4101 exe=/usr/bin/setenforce scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:security_t tclass=security
Jul 10 02:44:08 new2 richard: now doing logrotate
Jul 10 02:44:16 new2 kernel: audit(1089441856.765:0): avc:  denied  { transition } for  pid=4105 exe=/bin/bash path=/etc/rc.d/init.d/cups dev=hda2 ino=864571 scontext=root:sysadm_r:logrotate_t tcontext=root:system_r:initrc_t tclass=process
Jul 10 02:44:16 new2 kernel: audit(1089441856.773:0): avc:  denied  { use } for  pid=4107 exe=/sbin/consoletype path=/dev/null dev=hda2 ino=1064669 scontext=root:system_r:consoletype_t tcontext=root:sysadm_r:logrotate_t tclass=fd
Jul 10 02:44:16 new2 cups: cupsd shutdown succeeded
Jul 10 02:44:16 new2 kernel: audit(1089441856.913:0): avc:  denied  { ioctl } for  pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:16 new2 kernel: audit(1089441856.914:0): avc:  denied  { getattr } for  pid=4114 exe=/usr/bin/python path=/dev/pts/0 dev=devpts ino=2 scontext=root:system_r:cupsd_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc:  denied  { read } for  pid=4121 exe=/bin/bash name=.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.053:0): avc:  denied  { getattr } for  pid=4121 exe=/bin/bash path=/root/.bashrc dev=hda2 ino=130311 scontext=root:system_r:cupsd_t tcontext=root:object_r:staff_home_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc:  denied  { search } for  pid=4123 exe=/usr/bin/id name=selinux dev=hda2 ino=913073 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=dir
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc:  denied  { read } for  pid=4123 exe=/usr/bin/id name=config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 kernel: audit(1089441857.056:0): avc:  denied  { getattr } for  pid=4123 exe=/usr/bin/id path=/etc/selinux/config dev=hda2 ino=914871 scontext=root:system_r:cupsd_t tcontext=system_u:object_r:selinux_config_t tclass=file
Jul 10 02:44:17 new2 cups: cupsd startup succeeded
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux