Dnsmasq log setattr denial

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings -

I recently had some brief intermittent network connection issues that I finally tracked down to occurring in time with dns lease renewal by dnsmasq.  Looking into the logs I found that the issue began after I rebooted my dns server recently.  No configuration changes had been made, we shut servers down for a planned power outage for our building.

I have read the full sealert message, but with my limited experience I am looking for some confirmation before making any changes.  The raw audit message is listed below.  It appears there may be a context issue on the log file (I know there is a typo in my log file name).

Raw Audit Messages
type=AVC msg=audit(1559298063.86:81599): avc:  denied  { setattr } for  pid=15072 comm="dnsmasq" name="dsnmasq.log" dev=vda2 ino=1068 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

type=SYSCALL msg=audit(1559298063.86:81599): arch=x86_64 syscall=fchown success=no exit=EACCES a0=c a1=63 a2=ffffffff a3=418 items=0 ppid=1 pid=15072 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=13562 comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null)

Running audit2why gives the following, which references a missing type enforcement allow rule.

type=AVC msg=audit(1558865403.590:67806): avc:  denied  { setattr } for  pid=1429 comm="dnsmasq" name="dsnmasq.log" dev=vda2 ino=827 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.
                You can use audit2allow to generate a loadable module to allow this access.

However, when I run matchpathcon, I get the following results, which seems to indicate that everything should be ok.

[root@taxa ~]# matchpathcon -V /var/log/*
/var/log/dsnmasq.log verified.
/var/log/dsnmasq.log-20190525 verified.
/var/log/dsnmasq.log-20190526 verified.
/var/log/dsnmasq.log-20190527 verified.
/var/log/dsnmasq.log-20190528 verified.
/var/log/dsnmasq.log-20190529 verified.
/var/log/dsnmasq.log-20190530 verified.
/var/log/dsnmasq.log-20190531 verified.

So it is not clear to me what is the proper way to resolve this denial, and am looking for a little more education and advice so that I don't issue the wrong selinux command.  I am running dnsmasq 2.48-18.el6_9 on a CentOS 6 system.  Thanks.

Jeff

--

Jeff Boyce
Meridian Environmental
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux