I got the same message today. It looks harmless, and it's either a bug in policy or is a good reason for dnf to store its logs some place other than /var/cache . The cron that generates this is run yearly, so it's likely that this isn't encountered that often.
[root@localhost jrm16020]# cat /etc/logrotate.d/dnf
/var/log/dnf.log {
missingok
notifempty
size 30k
yearly
create 0600 root root
}
/var/log/dnf.rpm.log {
missingok
notifempty
size 30k
yearly
create 0600 root root
}
/var/log/dnf.plugin.log {
missingok
notifempty
size 30k
yearly
create 0600 root root
}
/var/cache/dnf/*/*/hawkey.log {
missingok
notifempty
size 30k
yearly
create 0600 root root
}
[root@localhost jrm16020]# sesearch -A -C -s logrotate_t -t rpm_var_cache_t -c dir
Found 1 semantic av rules:
allow logrotate_t file_type : dir { getattr search open } ;
On Sun, Dec 14, 2014 at 4:27 PM, Shintaro Fujiwara <shintaro.fujiwara@xxxxxxxxx> wrote:
Hi, I run SELinux on Fedora 21.
I got this alert.
What's this?
SELinux is preventing /usr/sbin/logrotate from read access on the directory /var/cache/dnf.
***** Plugin catchall (100. confidence) suggests **************************
Additional Information:
Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context system_u:object_r:rpm_var_cache_t:s0
Target Objects /var/cache/dnf [ dir ]
Source logrotate
Source Path /usr/sbin/logrotate
Port <Unknown>
Host localhost.localdomain
Source RPM Packages logrotate-3.8.7-4.fc21.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-99.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.17.6-300.fc21.x86_64
#1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64
Alert Count 1
First Seen 2014-12-15 07:21:01 JST
Last Seen 2014-12-15 07:21:01 JST
Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d
Raw Audit Messages
type=AVC msg=audit(1418595661.775:465): avc: denied { read } for pid=6758 comm="logrotate" name="dnf" dev="dm-1" ino=3148310 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0 items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read
[fujiwara@localhost ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 29
--日本にヘヴィメタル・ハードロックを根付かせるページhttp://sourceforge.net/projects/webon/
CMS(PHPとPostgreSQLを使ったフリーソフト)
https://github.com/intrajp/irforum_jp
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
Jeremy Young, M.S., RHCSA
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
