Re: logrotate and unlabeled_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote:
> Hi Jason,
> 
> On 12/11/2015 08:51 PM, jason wrote:
> > Hi All,
> > 
> > I am attempting to use logrotate to rotate a log file with the
> > unlabeled_t context, as it turns out SELinux is not happy about
> > this
> > and denies logrotate access to the log file.
> logrotate should run under logrotate_t SELinux context. I would 
> recommend you to fix all security context on your system using:
> # restorecon -R -v /
> 
> After this, logrotate should run under logrotate_t SELinux content.
> > What's the preferred method here to allow access? I used
> > audit2allow
> > and installed the .pp but but was reading some docs[0] and wanted
> > to
> > double check my solution.
> > 
> > The points in the docs were that I wanted to check on were "Missing
> > TE
> > rules are usually caused by bugs in SELinux policy and should be
> > reports.." Should I report my particular instance as a bug?
> Could you attach AVC msgs using:
> # ausearch -m AVC
> 
> We can analyze this msgs and figure out if it some bug in SELinux
> policy 
> or create some local SELinux module for you.
> > "Modules created with audit2allow may allow more access than
> > required.
> True, you should always properly read AVC msg and allow just what is 
> mentioned in AVC msg. Tool
> audit2allow can use too generic rule as fix and this is wrong habit
> for 
> writing policies.
> > It is recommended that policy created with audit2allow be posted to
> > the
> > upstream SELinux list for review."
> You can attach your local policy also here for checking. :)
> > Thanks in advance!
> > 
> > JT
> > 
> > 
> > [0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterpris
> > e_Li
> > nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-
> > Enhanced_Linux-Troubleshooting-Fixing_Problems.html
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj
> > ect.org
> Regards,
> Lukas.
> 

After attempting to change the context of the log file and getting a
permission denied. It seems selinux won't let me just change the
context to anything I want :)

So here is some more information, since I want to make sure I do this
the right way.

We have an application writing logs to /${app}/logs/my.log. The current
context of the directory/files are
unconfined_u:object_r:unlabeled_t:s0.

Previously we were not rotating logs, I would like to use logrotate to
manage these logs. We are currently running centos-release-7-
1.1503.el7.centos.2.8 in targeted/enforcing mode.

The message in /var/log/audit/audit.log I am seeing is:
type=AVC msg=audit(1450064522.450:248945): avc:  denied  { getattr }
for  pid=39492 comm="logrotate" "/app/logs/my.log" dev="sdb1"
ino=4294971394 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file

Thanks in advance!

JT
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux