On Mon, 2015-12-14 at 15:43 +0100, Miroslav Grepl wrote: > On 12/14/2015 03:18 PM, jason wrote: > > On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote: > > > Hi Jason, > > > > > > On 12/11/2015 08:51 PM, jason wrote: > > > > Hi All, > > > > > > > > I am attempting to use logrotate to rotate a log file with the > > > > unlabeled_t context, as it turns out SELinux is not happy about > > > > this > > > > and denies logrotate access to the log file. > > > logrotate should run under logrotate_t SELinux context. I would > > > recommend you to fix all security context on your system using: > > > # restorecon -R -v / > > > > > > After this, logrotate should run under logrotate_t SELinux > > > content. > > > > What's the preferred method here to allow access? I used > > > > audit2allow > > > > and installed the .pp but but was reading some docs[0] and > > > > wanted > > > > to > > > > double check my solution. > > > > > > > > The points in the docs were that I wanted to check on were > > > > "Missing > > > > TE > > > > rules are usually caused by bugs in SELinux policy and should > > > > be > > > > reports.." Should I report my particular instance as a bug? > > > Could you attach AVC msgs using: > > > # ausearch -m AVC > > > > > > We can analyze this msgs and figure out if it some bug in SELinux > > > policy > > > or create some local SELinux module for you. > > > > "Modules created with audit2allow may allow more access than > > > > required. > > > True, you should always properly read AVC msg and allow just what > > > is > > > mentioned in AVC msg. Tool > > > audit2allow can use too generic rule as fix and this is wrong > > > habit > > > for > > > writing policies. > > > > It is recommended that policy created with audit2allow be > > > > posted to > > > > the > > > > upstream SELinux list for review." > > > You can attach your local policy also here for checking. :) > > > > Thanks in advance! > > > > > > > > JT > > > > > > > > > > > > [0] https://access.redhat.com/documentation/en-US/Red_Hat_Enter > > > > pris > > > > e_Li > > > > nux/7/html/SELinux_Users_and_Administrators_Guide/sect- > > > > Security- > > > > Enhanced_Linux-Troubleshooting-Fixing_Problems.html > > > > -- > > > > selinux mailing list > > > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > > http://lists.fedoraproject.org/admin/lists/selinux@lists.fedora > > > > proj > > > > ect.org > > > Regards, > > > Lukas. > > > > > > > After attempting to change the context of the log file and getting > > a > > permission denied. It seems selinux won't let me just change the > > context to anything I want :) > > > > So here is some more information, since I want to make sure I do > > this > > the right way. > > > > We have an application writing logs to /${app}/logs/my.log. The > > current > > context of the directory/files are > > unconfined_u:object_r:unlabeled_t:s0. > > > > Previously we were not rotating logs, I would like to use logrotate > > to > > manage these logs. We are currently running centos-release-7- > > 1.1503.el7.centos.2.8 in targeted/enforcing mode. > > > > The message in /var/log/audit/audit.log I am seeing is: > > type=AVC msg=audit(1450064522.450:248945): avc: denied { getattr > > } > > for pid=39492 comm="logrotate" "/app/logs/my.log" dev="sdb1" > > ino=4294971394 scontext=system_u:system_r:logrotate_t:s0- > > s0:c0.c1023 > > tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file > > Is it a mount point? > > > > > Thanks in advance! > > > > JT > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj > > ect.org > > > > /${app} is yes. JT -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
