On 12/14/2015 03:18 PM, jason wrote: > On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote: >> Hi Jason, >> >> On 12/11/2015 08:51 PM, jason wrote: >>> Hi All, >>> >>> I am attempting to use logrotate to rotate a log file with the >>> unlabeled_t context, as it turns out SELinux is not happy about >>> this >>> and denies logrotate access to the log file. >> logrotate should run under logrotate_t SELinux context. I would >> recommend you to fix all security context on your system using: >> # restorecon -R -v / >> >> After this, logrotate should run under logrotate_t SELinux content. >>> What's the preferred method here to allow access? I used >>> audit2allow >>> and installed the .pp but but was reading some docs[0] and wanted >>> to >>> double check my solution. >>> >>> The points in the docs were that I wanted to check on were "Missing >>> TE >>> rules are usually caused by bugs in SELinux policy and should be >>> reports.." Should I report my particular instance as a bug? >> Could you attach AVC msgs using: >> # ausearch -m AVC >> >> We can analyze this msgs and figure out if it some bug in SELinux >> policy >> or create some local SELinux module for you. >>> "Modules created with audit2allow may allow more access than >>> required. >> True, you should always properly read AVC msg and allow just what is >> mentioned in AVC msg. Tool >> audit2allow can use too generic rule as fix and this is wrong habit >> for >> writing policies. >>> It is recommended that policy created with audit2allow be posted to >>> the >>> upstream SELinux list for review." >> You can attach your local policy also here for checking. :) >>> Thanks in advance! >>> >>> JT >>> >>> >>> [0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterpris >>> e_Li >>> nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security- >>> Enhanced_Linux-Troubleshooting-Fixing_Problems.html >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj >>> ect.org >> Regards, >> Lukas. >> > > After attempting to change the context of the log file and getting a > permission denied. It seems selinux won't let me just change the > context to anything I want :) > > So here is some more information, since I want to make sure I do this > the right way. > > We have an application writing logs to /${app}/logs/my.log. The current > context of the directory/files are > unconfined_u:object_r:unlabeled_t:s0. > > Previously we were not rotating logs, I would like to use logrotate to > manage these logs. We are currently running centos-release-7- > 1.1503.el7.centos.2.8 in targeted/enforcing mode. > > The message in /var/log/audit/audit.log I am seeing is: > type=AVC msg=audit(1450064522.450:248945): avc: denied { getattr } > for pid=39492 comm="logrotate" "/app/logs/my.log" dev="sdb1" > ino=4294971394 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file Is it a mount point? > > Thanks in advance! > > JT > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
