Bug si in MODIFIED state. https://bugzilla.redhat.com/show_bug.cgi?id=1163438 I make also new build during this day. -- Best regards, Lukas Vrabec. ----- Original Message ----- From: "Shintaro Fujiwara" <shintaro.fujiwara@xxxxxxxxx> To: "Lukas Vrabec" <lvrabec@xxxxxxxxxx> Cc: "Jeremy Young" <jrm16020@xxxxxxxxx>, selinux@xxxxxxxxxxxxxxxxxxxxxxx Sent: Monday, 15 December, 2014 9:43:36 AM Subject: Re: SELinux alert in Fedora 21 Thanks, friends. I will. 2014-12-15 17:33 GMT+09:00, Lukas Vrabec <lvrabec@xxxxxxxxxx>: > Hi, > > Please follow this in BZ > https://bugzilla.redhat.com/show_bug.cgi?id=1163438. We know about this > issue. > > I'm going to fix it. > > -- > Best regards, > Lukas Vrabec. > > > ----- Original Message ----- > From: "Jeremy Young" <jrm16020@xxxxxxxxx> > To: "Shintaro Fujiwara" <shintaro.fujiwara@xxxxxxxxx> > Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx > Sent: Sunday, 14 December, 2014 7:22:44 PM > Subject: Re: SELinux alert in Fedora 21 > > I got the same message today. It looks harmless, and it's either a bug in > policy or is a good reason for dnf to store its logs some place other than > /var/cache . The cron that generates this is run yearly, so it's likely that > this isn't encountered that often. > > [root@localhost jrm16020]# cat /etc/logrotate.d/dnf > /var/log/dnf.log { > missingok > notifempty > size 30k > yearly > create 0600 root root > } > > /var/log/dnf.rpm.log { > missingok > notifempty > size 30k > yearly > create 0600 root root > } > > /var/log/dnf.plugin.log { > missingok > notifempty > size 30k > yearly > create 0600 root root > } > > /var/cache/dnf/*/*/hawkey.log { > missingok > notifempty > size 30k > yearly > create 0600 root root > } > > > [root@localhost jrm16020]# sesearch -A -C -s logrotate_t -t rpm_var_cache_t > -c dir > Found 1 semantic av rules: > allow logrotate_t file_type : dir { getattr search open } ; > > On Sun, Dec 14, 2014 at 4:27 PM, Shintaro Fujiwara < > shintaro.fujiwara@xxxxxxxxx > wrote: > > > Hi, I run SELinux on Fedora 21. > I got this alert. > > What's this? > > > SELinux is preventing /usr/sbin/logrotate from read access on the directory > /var/cache/dnf. > > ***** Plugin catchall (100. confidence) suggests ************************** > > Additional Information: > Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 > Target Context system_u:object_r:rpm_var_cache_t:s0 > Target Objects /var/cache/dnf [ dir ] > Source logrotate > Source Path /usr/sbin/logrotate > Port <Unknown> > Host localhost.localdomain > Source RPM Packages logrotate-3.8.7-4.fc21.x86_64 > Target RPM Packages > Policy RPM selinux-policy-3.13.1-99.fc21.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name localhost.localdomain > Platform Linux localhost.localdomain 3.17.6-300.fc21.x86_64 > #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 > Alert Count 1 > First Seen 2014-12-15 07:21:01 JST > Last Seen 2014-12-15 07:21:01 JST > Local ID 4f20b888-a8fd-484b-a665-dcd7b149502d > > Raw Audit Messages > type=AVC msg=audit(1418595661.775:465): avc: denied { read } for pid=6758 > comm="logrotate" name="dnf" dev="dm-1" ino=3148310 > scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 > > > type=SYSCALL msg=audit(1418595661.775:465): arch=x86_64 syscall=openat > success=no exit=EACCES a0=ffffffffffffff9c a1=7fffc09f1730 a2=90800 a3=0 > items=0 ppid=6756 pid=6758 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) ses=3 comm=logrotate exe=/usr/sbin/logrotate > subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) > > Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read > > [fujiwara@localhost ~]$ sestatus > SELinux status: enabled > SELinuxfs mount: /sys/fs/selinux > SELinux root directory: /etc/selinux > Loaded policy name: targeted > Current mode: enforcing > Mode from config file: enforcing > Policy MLS status: enabled > Policy deny_unknown status: allowed > Max kernel policy version: 29 > > > > -- > 日本にヘヴィメタル・ハードロックを根付かせるページ > http://heavymetalhardrock.no-ip.info/ > > 世界中でセキュアOSのSELinuxを使いやすくするフリーソフト > http://sourceforge.net/projects/segatex/ > > CMS(PHPとPostgreSQLを使ったフリーソフト) > http://sourceforge.net/projects/webon/ > https://github.com/intrajp/irforum_jp > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > -- > Jeremy Young , M.S., RHCSA > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- 日本にヘヴィメタル・ハードロックを根付かせるページ http://heavymetalhardrock.no-ip.info/ 世界中でセキュアOSのSELinuxを使いやすくするフリーソフト http://sourceforge.net/projects/segatex/ CMS(PHPとPostgreSQLを使ったフリーソフト) http://sourceforge.net/projects/webon/ https://github.com/intrajp/irforum_jp -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
