Hi Jeff,
On 5/31/19 10:39 PM, Jeff Boyce wrote:
> Greetings -
>
> I recently had some brief intermittent network connection issues that I
> finally tracked down to occurring in time with dns lease renewal by
> dnsmasq. Looking into the logs I found that the issue began after I
> rebooted my dns server recently. No configuration changes had been
> made, we shut servers down for a planned power outage for our building.
>
> I have read the full sealert message, but with my limited experience I
> am looking for some confirmation before making any changes. The raw
> audit message is listed below. It appears there may be a context issue
> on the log file (I know there is a typo in my log file name).
>
> Raw Audit Messages
> type=AVC msg=audit(1559298063.86:81599): avc: denied { setattr } for
> pid=15072 comm="dnsmasq" name="dsnmasq.log" dev=vda2 ino=1068
> scontext=system_u:system_r:dnsmasq_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1559298063.86:81599): arch=x86_64 syscall=fchown
> success=no exit=EACCES a0=c a1=63 a2=ffffffff a3=418 items=0 ppid=1
> pid=15072 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=13562 comm=dnsmasq exe=/usr/sbin/dnsmasq
> subj=system_u:system_r:dnsmasq_t:s0 key=(null)
>
> Running audit2why gives the following, which references a missing type
> enforcement allow rule.
>
> type=AVC msg=audit(1558865403.590:67806): avc: denied { setattr } for
> pid=1429 comm="dnsmasq" name="dsnmasq.log" dev=vda2 ino=827
> scontext=system_u:system_r:dnsmasq_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
> Was caused by:
> Missing type enforcement (TE) allow rule.
> You can use audit2allow to generate a loadable module to
> allow this access.
>
> However, when I run matchpathcon, I get the following results, which
> seems to indicate that everything should be ok.
>
> [root@taxa ~]# matchpathcon -V /var/log/*
> /var/log/dsnmasq.log verified.
> /var/log/dsnmasq.log-20190525 verified.
> /var/log/dsnmasq.log-20190526 verified.
> /var/log/dsnmasq.log-20190527 verified.
> /var/log/dsnmasq.log-20190528 verified.
> /var/log/dsnmasq.log-20190529 verified.
> /var/log/dsnmasq.log-20190530 verified.
> /var/log/dsnmasq.log-20190531 verified.
>
> So it is not clear to me what is the proper way to resolve this denial,
> and am looking for a little more education and advice so that I don't
> issue the wrong selinux command. I am running dnsmasq 2.48-18.el6_9 on
> a CentOS 6 system. Thanks.
>
I think there is a typo in configuration file name /s/dsnmasq/dnsmasq.
This is your issue. You can rename the file, fix the configuration and
then run restorecon:
# restorecon -v /var/log/dnsmasq.log
or if you're using this for purpose (for whatever reason) you can assign
dnsmasq_var_log_t label to /var/log/dsnmasq.log:
# semanage fcontext -a -t dnsmasq_var_log_t "/var/log/dsnmasq\.log.*"
# restorecon -Rv /var/log/dsnmasq.log
Thanks,
Lukas.
> Jeff
>
--
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
