On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote: > Hi Jason, > > On 12/11/2015 08:51 PM, jason wrote: > > Hi All, > > > > I am attempting to use logrotate to rotate a log file with the > > unlabeled_t context, as it turns out SELinux is not happy about > > this > > and denies logrotate access to the log file. > logrotate should run under logrotate_t SELinux context. I would > recommend you to fix all security context on your system using: > # restorecon -R -v / > > After this, logrotate should run under logrotate_t SELinux content. > > What's the preferred method here to allow access? I used > > audit2allow > > and installed the .pp but but was reading some docs[0] and wanted > > to > > double check my solution. > > > > The points in the docs were that I wanted to check on were "Missing > > TE > > rules are usually caused by bugs in SELinux policy and should be > > reports.." Should I report my particular instance as a bug? > Could you attach AVC msgs using: > # ausearch -m AVC > > We can analyze this msgs and figure out if it some bug in SELinux > policy > or create some local SELinux module for you. > > "Modules created with audit2allow may allow more access than > > required. > True, you should always properly read AVC msg and allow just what is > mentioned in AVC msg. Tool > audit2allow can use too generic rule as fix and this is wrong habit > for > writing policies. > > It is recommended that policy created with audit2allow be posted to > > the > > upstream SELinux list for review." > You can attach your local policy also here for checking. :) > > Thanks in advance! > > > > JT > > > > > > [0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterpris > > e_Li > > nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security- > > Enhanced_Linux-Troubleshooting-Fixing_Problems.html > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj > > ect.org > Regards, > Lukas. > After attempting to change the context of the log file and getting a permission denied. It seems selinux won't let me just change the context to anything I want :) So here is some more information, since I want to make sure I do this the right way. We have an application writing logs to /${app}/logs/my.log. The current context of the directory/files are unconfined_u:object_r:unlabeled_t:s0. Previously we were not rotating logs, I would like to use logrotate to manage these logs. We are currently running centos-release-7- 1.1503.el7.centos.2.8 in targeted/enforcing mode. The message in /var/log/audit/audit.log I am seeing is: type=AVC msg=audit(1450064522.450:248945): avc: denied { getattr } for pid=39492 comm="logrotate" "/app/logs/my.log" dev="sdb1" ino=4294971394 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file Thanks in advance! JT -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
