After I do a fresh install of a (slightly customised) CentOS 5, a
logwatch run is kicked off by anacron. It tries to run a directory size
scan, which generates a whole list of errors:
du: cannot read directory `/var/log/audit': Permission denied
du: cannot read directory `/var/log/pm': Permission denied
...
du: cannot access `/usr/lib/sa/sa2': Permission denied
du: cannot read directory `/usr/lib/httpd': Permission denied
with corresponding AVCs:
type=AVC msg=audit(1271158392.750:101): avc: denied { read } for
pid=3429 comm="du" name="audit" dev=dm-4 ino=418914
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
type=AVC msg=audit(1271158392.845:102): avc: denied { read } for
pid=3429 comm="du" name="pm" dev=dm-4 ino=418940
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hald_log_t:s0 tclass=dir
...
type=AVC msg=audit(1271158414.619:266): avc: denied { getattr } for
pid=3432 comm="du" path="/usr/lib/sa/sa2" dev=dm-1 ino=457413
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysstat_exec_t:s0 tclass=file
type=AVC msg=audit(1271158414.648:267): avc: denied { read } for
pid=3432 comm="du" name="httpd" dev=dm-1 ino=422750
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir
However, once the system has settled down and logwatch is being run by
cron, the errors no longer appear. Both cron and anacron have the same
type:
-rwxr-xr-x root root system_u:object_r:crond_exec_t /usr/sbin/anacron
-rwxr-xr-x root root system_u:object_r:crond_exec_t /usr/sbin/crond
-rwxr-xr-x root root system_u:object_r:logwatch_exec_t
/usr/share/logwatch/scripts/logwatch.pl
So why does it fail from one and work from the other?
Moray.
"To err is human. To purr, feline"
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
