Re: logrotate and unlabeled_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 12/14/2015 03:46 PM, jason wrote:
On Mon, 2015-12-14 at 15:43 +0100, Miroslav Grepl wrote:
On 12/14/2015 03:18 PM, jason wrote:
On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote:
Hi Jason,

On 12/11/2015 08:51 PM, jason wrote:
Hi All,

I am attempting to use logrotate to rotate a log file with the
unlabeled_t context, as it turns out SELinux is not happy about
this
and denies logrotate access to the log file.
logrotate should run under logrotate_t SELinux context. I would
recommend you to fix all security context on your system using:
# restorecon -R -v /

After this, logrotate should run under logrotate_t SELinux
content.
What's the preferred method here to allow access? I used
audit2allow
and installed the .pp but but was reading some docs[0] and
wanted
to
double check my solution.

The points in the docs were that I wanted to check on were
"Missing
TE
rules are usually caused by bugs in SELinux policy and should
be
reports.." Should I report my particular instance as a bug?
Could you attach AVC msgs using:
# ausearch -m AVC

We can analyze this msgs and figure out if it some bug in SELinux
policy
or create some local SELinux module for you.
"Modules created with audit2allow may allow more access than
required.
True, you should always properly read AVC msg and allow just what
is
mentioned in AVC msg. Tool
audit2allow can use too generic rule as fix and this is wrong
habit
for
writing policies.
It is recommended that policy created with audit2allow be
posted to
the
upstream SELinux list for review."
You can attach your local policy also here for checking. :)
Thanks in advance!

JT


[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enter
pris
e_Li
nux/7/html/SELinux_Users_and_Administrators_Guide/sect-
Security-
Enhanced_Linux-Troubleshooting-Fixing_Problems.html
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedora
proj
ect.org
Regards,
Lukas.

After attempting to change the context of the log file and getting
a
permission denied. It seems selinux won't let me just change the
context to anything I want :)

So here is some more information, since I want to make sure I do
this
the right way.

We have an application writing logs to /${app}/logs/my.log. The
current
context of the directory/files are
unconfined_u:object_r:unlabeled_t:s0.

Previously we were not rotating logs, I would like to use logrotate
to
manage these logs. We are currently running centos-release-7-
1.1503.el7.centos.2.8 in targeted/enforcing mode.

The message in /var/log/audit/audit.log I am seeing is:
type=AVC msg=audit(1450064522.450:248945): avc:  denied  { getattr
}
for  pid=39492 comm="logrotate" "/app/logs/my.log" dev="sdb1"
ino=4294971394 scontext=system_u:system_r:logrotate_t:s0-
s0:c0.c1023
tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
Is it a mount point?

Thanks in advance!

JT
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj
ect.org


/${app} is yes.
So use:
context="system_u:object_r:var_log_t:s0"
this as mount option. This label mount point as  var_log_t.
For more info see mount man pages.
JT

--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux