FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-10-2008, 01:53 AM
Dan Thurman
 
Default F9: Problems with named logging files

I have not been able to solve this issue but was able to 'get around' it
via F8.


Below is the named.conf, just for the logging group:
=========================================
logging {
channel my_syslog { file "/var/log/named/named.log" versions 25;
severity info;
print-category yes;
print-time yes;
};
channel my_lame { file "/var/log/named/lame.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_xfer { file "/var/log/named/xfer.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_update { file "/var/log/named/named.update" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_db { file "/var/log/named/db.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_query { file "/var/log/named/query.log" versions 25;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_security { file "/var/log/named/security.log" versions 99;
severity info;
print-category yes;
print-time yes;
// size 50M;
};
channel my_debug { file "/var/log/named/named.debug" versions 20;
severity dynamic;
print-category yes;
print-time yes;
// size 50M;
};

category security { my_security; };
category default { my_syslog; };
category queries { my_query; };
category lame-servers { my_lame; };
category update { my_update; };
// category db { my_db; };
category xfer-in { my_xfer; };
category xfer-out { my_xfer; };
// category packet { null; };
// category eventlib { my_syslog; };

};
=========================================
Please note that the pathname is chrooted and is actually
found in: /var/named/chroot/var/log/named and the files
are initially set there with proper context of named_log_t
and the directory permissions set with user named with
access and context set accordingly.

Below is the selinux complaint:
=========================================
From: /var/log/messages:
-------------------------------
Jul 9 18:43:27 bronze named[10903]: unable to rename log file
'/var/log/named/named.log' to '/var/log/named/named.log.0': permission
denied
Jul 9 18:43:27 bronze setroubleshoot: SELinux is preventing named
(named_t) "write" to ./named (named_conf_t). For complete SELinux
messages. run sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09


# sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09
=========================================
Summary:

SELinux is preventing named (named_t) "write" to ./named (named_conf_t).

Detailed Description:

SELinux denied access requested by named. It is not expected that this
access is
required by named and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore

the default system file context for ./named,

restorecon -v './named'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context unconfined_u:system_r:named_t:s0
Target Context system_ubject_r:named_conf_t:s0
Target Objects ./named [ dir ]
Source named
Source Path /usr/sbin/named
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages bind-9.5.0-32.rc1.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9

Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP

Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 1
First Seen Wed Jul 9 18:43:27 2008
Last Seen Wed Jul 9 18:43:27 2008
Local ID ebd583dd-e96e-49ad-b6ce-72eda7273b09
Line Numbers

Raw Audit Messages

host=bronze.cdkkt.com type=AVC msg=audit(1215654207.611:139): avc:
denied { write } for pid=10904 comm="named" name="named" dev=sda6
ino=2023442 scontext=unconfined_u:system_r:named_t:s0
tcontext=system_ubject_r:named_conf_t:s0 tclass=dir


host=bronze.cdkkt.com type=SYSCALL msg=audit(1215654207.611:139):
arch=40000003 syscall=38 success=no exit=-13 a0=b547a4e8 a1=b7ee488a
a2=4932fc a3=b7ee488a items=0 ppid=10902 pid=10904 auid=500 uid=25
gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none)
ses=2 comm="named" exe="/usr/sbin/named"
subj=unconfined_u:system_r:named_t:s0 key=(null)

=========================================

I have tried changing the context, permissions, restorecon and nothing
seemed to help.


Advice please?

Thanks!
Dan

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-10-2008, 06:33 AM
Paul Howarth
 
Default F9: Problems with named logging files

On Wed, 09 Jul 2008 18:53:05 -0700
Dan Thurman <dant@cdkkt.com> wrote:

> I have not been able to solve this issue but was able to 'get around'
> it via F8.
>
> Below is the named.conf, just for the logging group:
> =========================================
> logging {
> channel my_syslog { file "/var/log/named/named.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> };
> channel my_lame { file "/var/log/named/lame.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_xfer { file "/var/log/named/xfer.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_update { file "/var/log/named/named.update" versions
> 25; severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_db { file "/var/log/named/db.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_query { file "/var/log/named/query.log" versions 25;
> severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_security { file "/var/log/named/security.log" versions
> 99; severity info;
> print-category yes;
> print-time yes;
> // size 50M;
> };
> channel my_debug { file "/var/log/named/named.debug" versions 20;
> severity dynamic;
> print-category yes;
> print-time yes;
> // size 50M;
> };
>
> category security { my_security; };
> category default { my_syslog; };
> category queries { my_query; };
> category lame-servers { my_lame; };
> category update { my_update; };
> // category db { my_db; };
> category xfer-in { my_xfer; };
> category xfer-out { my_xfer; };
> // category packet { null; };
> // category eventlib { my_syslog; };
>
> };
> =========================================
> Please note that the pathname is chrooted and is actually
> found in: /var/named/chroot/var/log/named and the files
> are initially set there with proper context of named_log_t
> and the directory permissions set with user named with
> access and context set accordingly.
>
> Below is the selinux complaint:
> =========================================
> From: /var/log/messages:
> -------------------------------
> Jul 9 18:43:27 bronze named[10903]: unable to rename log file
> '/var/log/named/named.log' to '/var/log/named/named.log.0':
> permission denied
> Jul 9 18:43:27 bronze setroubleshoot: SELinux is preventing named
> (named_t) "write" to ./named (named_conf_t). For complete SELinux
> messages. run sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09
>
> # sealert -l ebd583dd-e96e-49ad-b6ce-72eda7273b09
> =========================================
> Summary:
>
> SELinux is preventing named (named_t) "write" to ./named
> (named_conf_t).
>
> Detailed Description:
>
> SELinux denied access requested by named. It is not expected that
> this access is
> required by named and this access may signal an intrusion attempt. It
> is also
> possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> Sometimes labeling problems can cause SELinux denials. You could try
> to restore
> the default system file context for ./named,
>
> restorecon -v './named'
>
> If this does not work, there is currently no automatic way to allow
> this access.
> Instead, you can generate a local policy module to allow this access
> - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
> package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:named_t:s0
> Target Context system_ubject_r:named_conf_t:s0
> Target Objects ./named [ dir ]
> Source named
> Source Path /usr/sbin/named
> Port <Unknown>
> Host bronze.cdkkt.com
> Source RPM Packages bind-9.5.0-32.rc1.fc9
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-74.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall_file
> Host Name bronze.cdkkt.com
> Platform Linux bronze.cdkkt.com
> 2.6.25.9-76.fc9.i686 #1 SMP
> Fri Jun 27 16:14:35 EDT 2008 i686 i686
> Alert Count 1
> First Seen Wed Jul 9 18:43:27 2008
> Last Seen Wed Jul 9 18:43:27 2008
> Local ID ebd583dd-e96e-49ad-b6ce-72eda7273b09
> Line Numbers
>
> Raw Audit Messages
>
> host=bronze.cdkkt.com type=AVC msg=audit(1215654207.611:139): avc:
> denied { write } for pid=10904 comm="named" name="named" dev=sda6
> ino=2023442 scontext=unconfined_u:system_r:named_t:s0
> tcontext=system_ubject_r:named_conf_t:s0 tclass=dir
>
> host=bronze.cdkkt.com type=SYSCALL msg=audit(1215654207.611:139):
> arch=40000003 syscall=38 success=no exit=-13 a0=b547a4e8 a1=b7ee488a
> a2=4932fc a3=b7ee488a items=0 ppid=10902 pid=10904 auid=500 uid=25
> gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none)
> ses=2 comm="named" exe="/usr/sbin/named"
> subj=unconfined_u:system_r:named_t:s0 key=(null)
> =========================================
>
> I have tried changing the context, permissions, restorecon and
> nothing seemed to help.
>
> Advice please?

Does this help?

# chcon -R -t named_log_t /var/named/chroot/var/log/named

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org