-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dan Thurman wrote: > > My logs are reporting many errors, one which appears here: > Jul 14 20:15:41 bronze setroubleshoot: SELinux is preventing 0logwatch > (logwatch_t) "read" to sagator (var_log_t). For complete SELinux > messages. run sealert -l 623798e3-17ec-4751-ae16-e2d92c397e72 > > .... And more here: > Jul 14 20:20:06 bronze logrotate: ALERT exited abnormally with [1] > Jul 14 20:22:02 bronze setroubleshoot: SELinux is preventing updatedb > (locate_t) "getattr" to /usr/share/sagator (sagator_t). For complete > SELinux messages. run sealert -l 54affa1b-dd31-4c24-b021-3e5ce8da3fe4 > > Jul 14 20:27:49 bronze setroubleshoot: SELinux is preventing logrotate > (logrotate_t) "getattr" to /var/lib/zope/etc/logrotate.conf (var_lib_t). > For complete SELinux messages. run sealert -l > 0851295f-58e7-43d8-940c-614514dcfdad > > ================================================================= > # sealert -l 623798e3-17ec-4751-ae16-e2d92c397e72 > ========================================== > Summary: > > SELinux is preventing 0logwatch (logwatch_t) "read" to sagator (var_log_t). > > Detailed Description: > > SELinux denied access requested by 0logwatch. It is not expected that this > access is required by 0logwatch and this access may signal an intrusion > attempt. > It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for sagator, > > restorecon -v 'sagator' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logwatch_t:s0 > Target Context system_u:object_r:var_log_t:s0 > Target Objects sagator [ lnk_file ] > Source 0logwatch > Source Path /usr/bin/perl > Port <Unknown> > Host bronze.cdkkt.com > Source RPM Packages perl-5.10.0-30.fc9 > Target RPM Packages Policy RPM > selinux-policy-3.3.1-74.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name bronze.cdkkt.com > Platform Linux bronze.cdkkt.com > 2.6.25.9-76.fc9.i686 #1 SMP > Fri Jun 27 16:14:35 EDT 2008 i686 i686 > Alert Count 8 > First Seen Mon Jul 14 20:15:41 2008 > Last Seen Mon Jul 14 20:15:41 2008 > Local ID 623798e3-17ec-4751-ae16-e2d92c397e72 > Line Numbers > Raw Audit Messages > host=bronze.cdkkt.com type=AVC msg=audit(1216091741.414:1543): avc: > denied { read } for pid=19074 comm="0logwatch" name="sagator" dev=sda6 > ino=86871 scontext=system_u:system_r:logwatch_t:s0 > tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file > > host=bronze.cdkkt.com type=SYSCALL msg=audit(1216091741.414:1543): > arch=40000003 syscall=5 success=no exit=-13 a0=bf87c1c8 a1=98800 > a2=8a67e30 a3=bf87c1c8 items=0 ppid=15038 pid=19074 auid=4294967295 > uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > ses=4294967295 comm="0logwatch" exe="/usr/bin/perl" > subj=system_u:system_r:logwatch_t:s0 key=(null) > > ================================================================= > # sealert -l 0851295f-58e7-43d8-940c-614514dcfdad > # ls -lZ /var/lib/zope/etc/logrotate.conf > -rw-r--r-- root zope system_u:object_r:var_lib_t:s0 > /var/lib/zope/etc/logrotate.conf > ========================================== > Summary: > > SELinux is preventing logrotate (logrotate_t) "getattr" to > /var/lib/zope/etc/logrotate.conf (var_lib_t). > > Detailed Description: > > SELinux denied access requested by logrotate. It is not expected that this > access is required by logrotate and this access may signal an intrusion > attempt. > It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > Sometimes labeling problems can cause SELinux denials. You could try to > restore > the default system file context for /var/lib/zope/etc/logrotate.conf, > > restorecon -v '/var/lib/zope/etc/logrotate.conf' > > If this does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this access - > see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:logrotate_t:s0 > Target Context system_u:object_r:var_lib_t:s0 > Target Objects /var/lib/zope/etc/logrotate.conf [ file ] > Source logrotate > Source Path /usr/sbin/logrotate > Port <Unknown> > Host bronze.cdkkt.com > Source RPM Packages logrotate-3.7.6-5.fc9 > Target RPM Packages compat-zope-2.10.5-3.lvn9 > Policy RPM selinux-policy-3.3.1-74.fc9 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file > Host Name bronze.cdkkt.com > Platform Linux bronze.cdkkt.com > 2.6.25.9-76.fc9.i686 #1 SMP > Fri Jun 27 16:14:35 EDT 2008 i686 i686 > Alert Count 1 > First Seen Mon Jul 14 20:27:49 2008 > Last Seen Mon Jul 14 20:27:49 2008 > Local ID 0851295f-58e7-43d8-940c-614514dcfdad > Line Numbers > Raw Audit Messages > host=bronze.cdkkt.com type=AVC msg=audit(1216092469.664:1690): avc: > denied { getattr } for pid=6689 comm="logrotate" > path="/var/lib/zope/etc/logrotate.conf" dev=sda6 ino=2220768 > scontext=system_u:system_r:logrotate_t:s0 > tcontext=system_u:object_r:var_lib_t:s0 tclass=file > > host=bronze.cdkkt.com type=SYSCALL msg=audit(1216092469.664:1690): > arch=40000003 syscall=195 success=no exit=-13 a0=bfb60ec5 a1=bfb5fa2c > a2=bcbff4 a3=bfb5fac4 items=0 ppid=6687 pid=6689 auid=4294967295 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > ses=4294967295 comm="logrotate" exe="/usr/sbin/logrotate" > subj=system_u:system_r:logrotate_t:s0 key=(null) > ================================================================= > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Open buzilla's on Zope to put their stuff in normal locations. /var/lib/zope/etc/logrotate.conf jeesh... CC me on the bugzilla. You can add these rules using audit2allow # grep log /var/log/audit/audit.log | myzopeinweirddir.pp # semodule -i myzopeinweirddir.pp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkh9/skACgkQrlYvE4MpobOZVgCgsJ/uyGIpEG4kmEPgfASUJlGr f2QAoNrr8+UyAYv6b3LORpjHEn7quJO4 =bySZ -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
