FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 12-06-2009, 08:38 AM
Arthur Dent
 
Default Logrotate frustration

Hello all,

Its seems that almost every week logrotate is throwing up a new AVC. I
have an almost vanilla F11 install with most packages installed via yum
and yet I keep getting these. Each time I audit2allow and build a new
policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
there something else I'm lacking?

Here is the latest version of my policy:


===============8<================================= =================

module mylogr 11.1.7;

require {
type mail_spool_t;
type logrotate_t;
type fail2ban_var_run_t;
type initrc_t;
type squid_log_t;
class dir {read open write remove_name};
class file { getattr read write open};
class file setattr;
class sock_file write;
class unix_stream_socket connectto;
class lnk_file rename;
}

#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file { getattr read write open };
allow logrotate_t mail_spool_t:dir { read open write remove_name};
allow logrotate_t mail_spool_t:file setattr;
allow logrotate_t fail2ban_var_run_t:sock_file write;
allow logrotate_t initrc_t:unix_stream_socket connectto;
allow logrotate_t squid_log_t:lnk_file rename;

===============8<================================= =================


This was today's AVC that necessitated the inclusion of the squid stuff:

===============8<================================= =================
Raw Audit Messages :

node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_ubject_r:squid_log_t:s0 tclass=lnk_file
node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
===============8<================================= =================
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-06-2009, 08:49 AM
"Justin P. Mattock"
 
Default Logrotate frustration

On 12/06/09 01:38, Arthur Dent wrote:

Hello all,

Its seems that almost every week logrotate is throwing up a new AVC. I
have an almost vanilla F11 install with most packages installed via yum
and yet I keep getting these. Each time I audit2allow and build a new
policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
there something else I'm lacking?

Here is the latest version of my policy:


===============8<================================= =================

module mylogr 11.1.7;

require {
type mail_spool_t;
type logrotate_t;
type fail2ban_var_run_t;
type initrc_t;
type squid_log_t;
class dir {read open write remove_name};
class file { getattr read write open};
class file setattr;
class sock_file write;
class unix_stream_socket connectto;
class lnk_file rename;
}

#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file { getattr read write open };
allow logrotate_t mail_spool_t:dir { read open write remove_name};
allow logrotate_t mail_spool_t:file setattr;
allow logrotate_t fail2ban_var_run_t:sock_file write;
allow logrotate_t initrc_t:unix_stream_socket connectto;
allow logrotate_t squid_log_t:lnk_file rename;

===============8<================================= =================


This was today's AVC that necessitated the inclusion of the squid stuff:

===============8<================================= =================
Raw Audit Messages :

node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_ubject_r:squid_log_t:s0 tclass=lnk_file
node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
===============8<================================= =================



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


I dont use logrotate over here(not sure of the label),
but looking at the avc's you supplied
seems it's a label issue.
(but correct me if I'm wrong);

Justin P. Mattock

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-06-2009, 10:59 AM
Dominick Grift
 
Default Logrotate frustration

On Sun, Dec 06, 2009 at 09:38:32AM +0000, Arthur Dent wrote:
> Hello all,
>
> Its seems that almost every week logrotate is throwing up a new AVC. I
> have an almost vanilla F11 install with most packages installed via yum
> and yet I keep getting these. Each time I audit2allow and build a new
> policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
> there something else I'm lacking?
>
> Here is the latest version of my policy:
>
>
> ===============8<================================= =================
>
> module mylogr 11.1.7;
>
> require {
> type mail_spool_t;
> type logrotate_t;
> type fail2ban_var_run_t;
> type initrc_t;
> type squid_log_t;
> class dir {read open write remove_name};
> class file { getattr read write open};
> class file setattr;
> class sock_file write;
> class unix_stream_socket connectto;
> class lnk_file rename;
> }
>
> #============= logrotate_t ==============
> allow logrotate_t mail_spool_t:file { getattr read write open };
> allow logrotate_t mail_spool_t:dir { read open write remove_name};
> allow logrotate_t mail_spool_t:file setattr;
> allow logrotate_t fail2ban_var_run_t:sock_file write;
> allow logrotate_t initrc_t:unix_stream_socket connectto;
> allow logrotate_t squid_log_t:lnk_file rename;
>
> ===============8<================================= =================
>
>
> This was today's AVC that necessitated the inclusion of the squid stuff:
>
> ===============8<================================= =================
> Raw Audit Messages :
>
> node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_ubject_r:squid_log_t:s0 tclass=lnk_file
> node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> ===============8<================================= =================


The rule with the initrc_t type is due to missing policy. It is encouraged to implement policy for all init daemons.

With regard to the other rules you can, i guess, basically allow the access required,

But always go through the checklist:

1. are the parties in an interaction labeled correctly? (matchpatchcon/restorecon/semanage/chcon)
2. are there any booleans or types that facilitate a certain interaction? (audit2allow)
3. is there a misconfiguration in some application? (see if a program should be able to do what it wants)
3. is there a bug in some application? (is the denial due to a bug in an application?)
4. is there a bug in the selinux policy? (missing policy to allow a certain interaction?)
5. is it a break in attempt (is the application compromised.

taking these 5 golden rules into concideration. i have some questions:

allow logrotate_t fail2ban_var_run_t:sock_file write
- why would logrotate have to write to a fail2ban sock file? (this may be a bug in fail2ban, maybe leaked file descriptor. does this denial cause any loss in functionality? if not consider silently denying it)

allow logrotate_t squid_log_t:lnk_file rename;
- why does squidgaurd, or whatever managed squid_log_t lnk_file, create a lnk_file in /var/log/... This is obviously not common behaviour afaik. That may be the reason why is denied.

withregard to the rules with mail_spool_t type i would like to know if and why logrotate wants to rotate spool files. is this expeected behaviour of logrotate or are the mail_spool_t object mislabeled?

so in conclusion the only denial that i am somewhat comfortable with is the squid link file denial. This may be some uncommon behaviour of squid/squidgaurd that selinux policy currently does not support (when confirmed that squidgaurd indeed creates a lnk file in /var/log for some reason , then implement policy to allow logrotate to rename the link (and what else it may need to do with the lnk_file.)

See what runs initrc_t (ps auxZ) and consider writing policy for this init daemon. By implementing policy for init daemon you prtect the system plus you achive that confined domain do not have to interact with the unconfined initrc_t domain.


> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-07-2009, 08:24 PM
Daniel J Walsh
 
Default Logrotate frustration

On 12/06/2009 04:38 AM, Arthur Dent wrote:
> Hello all,
>
> Its seems that almost every week logrotate is throwing up a new AVC. I
> have an almost vanilla F11 install with most packages installed via yum
> and yet I keep getting these. Each time I audit2allow and build a new
> policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
> there something else I'm lacking?
>
> Here is the latest version of my policy:
>
>
> ===============8<================================= =================
>
> module mylogr 11.1.7;
>
> require {
> type mail_spool_t;
> type logrotate_t;
> type fail2ban_var_run_t;
> type initrc_t;
> type squid_log_t;
> class dir {read open write remove_name};
> class file { getattr read write open};
> class file setattr;
> class sock_file write;
> class unix_stream_socket connectto;
> class lnk_file rename;
> }
>
> #============= logrotate_t ==============
> allow logrotate_t mail_spool_t:file { getattr read write open };
> allow logrotate_t mail_spool_t:dir { read open write remove_name};
> allow logrotate_t mail_spool_t:file setattr;
> allow logrotate_t fail2ban_var_run_t:sock_file write;
> allow logrotate_t initrc_t:unix_stream_socket connectto;
> allow logrotate_t squid_log_t:lnk_file rename;
>
> ===============8<================================= =================
>
>
> This was today's AVC that necessitated the inclusion of the squid stuff:
>
> ===============8<================================= =================
> Raw Audit Messages :
>
> node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_ubject_r:squid_log_t:s0 tclass=lnk_file
> node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> ===============8<================================= =================
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.

Are you using a custom logrotate to rotate mail_spool?

Why is

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-07-2009, 09:30 PM
Arthur Dent
 
Default Logrotate frustration

On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
> On 12/06/2009 04:38 AM, Arthur Dent wrote:
> > Hello all,
> >
> > Its seems that almost every week logrotate is throwing up a new AVC. I
> > have an almost vanilla F11 install with most packages installed via yum
> > and yet I keep getting these. Each time I audit2allow and build a new
> > policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
> > there something else I'm lacking?
> >
> > Here is the latest version of my policy:
> >
> >
> > ===============8<================================= =================
> >
> > module mylogr 11.1.7;
> >
> > require {
> > type mail_spool_t;
> > type logrotate_t;
> > type fail2ban_var_run_t;
> > type initrc_t;
> > type squid_log_t;
> > class dir {read open write remove_name};
> > class file { getattr read write open};
> > class file setattr;
> > class sock_file write;
> > class unix_stream_socket connectto;
> > class lnk_file rename;
> > }
> >
> > #============= logrotate_t ==============
> > allow logrotate_t mail_spool_t:file { getattr read write open };
> > allow logrotate_t mail_spool_t:dir { read open write remove_name};
> > allow logrotate_t mail_spool_t:file setattr;
> > allow logrotate_t fail2ban_var_run_t:sock_file write;
> > allow logrotate_t initrc_t:unix_stream_socket connectto;
> > allow logrotate_t squid_log_t:lnk_file rename;
> >
> > ===============8<================================= =================
> >
> >
> > This was today's AVC that necessitated the inclusion of the squid stuff:
> >
> > ===============8<================================= =================
> > Raw Audit Messages :
> >
> > node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_ubject_r:squid_log_t:s0 tclass=lnk_file
> > node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> > ===============8<================================= =================
> >
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
>
> Are you using a custom logrotate to rotate mail_spool?
>
> Why is

I think that my problem with mailspool/logrotate is that it relates to
my mail backup system in which procmail places a copy of every mail (in
mbox format) onto a separate partition on the same machine. This seemed
to cause labelling problems and we went round the houses on this issue a
while back ("Partitions Mounted by fstab" 5 March 2008 -
https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00030.html)

Thanks for your help - much appreciated...

Mark

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-14-2009, 09:01 AM
Arthur Dent
 
Default Logrotate frustration

On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
> > On 12/06/2009 04:38 AM, Arthur Dent wrote:
> > > Hello all,
> > >
> > > Its seems that almost every week logrotate is throwing up a new AVC. I
> > > have an almost vanilla F11 install with most packages installed via yum
> > > and yet I keep getting these. Each time I audit2allow and build a new
> > > policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
> > > there something else I'm lacking?
> > >
> > > Here is the latest version of my policy:
> > >
> > >
> > > ===============8<================================= =================
> > >
> > > module mylogr 11.1.7;
> > >
> > > require {
> > > type mail_spool_t;
> > > type logrotate_t;
> > > type fail2ban_var_run_t;
> > > type initrc_t;
> > > type squid_log_t;
> > > class dir {read open write remove_name};
> > > class file { getattr read write open};
> > > class file setattr;
> > > class sock_file write;
> > > class unix_stream_socket connectto;
> > > class lnk_file rename;
> > > }
> > >
> > > #============= logrotate_t ==============
> > > allow logrotate_t mail_spool_t:file { getattr read write open };
> > > allow logrotate_t mail_spool_t:dir { read open write remove_name};
> > > allow logrotate_t mail_spool_t:file setattr;
> > > allow logrotate_t fail2ban_var_run_t:sock_file write;
> > > allow logrotate_t initrc_t:unix_stream_socket connectto;
> > > allow logrotate_t squid_log_t:lnk_file rename;
> > >
> > > ===============8<================================= =================
> > >
> > >
> > > This was today's AVC that necessitated the inclusion of the squid stuff:
> > >
> > > ===============8<================================= =================
> > > Raw Audit Messages :
> > >
> > > node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_ubject_r:squid_log_t:s0 tclass=lnk_file
> > > node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> > > ===============8<================================= =================
> > >
> > >
> > >
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
> >
> > Are you using a custom logrotate to rotate mail_spool?
> >
> > Why is
>
> I think that my problem with mailspool/logrotate is that it relates to
> my mail backup system in which procmail places a copy of every mail (in
> mbox format) onto a separate partition on the same machine. This seemed
> to cause labelling problems and we went round the houses on this issue a
> while back ("Partitions Mounted by fstab" 5 March 2008 -
> https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00030.html)
>
> Thanks for your help - much appreciated...
>
> Mark

OK - Following another arm of this thread I have (last week) done a
complete relabel and removed my existing fail2ban and logrotate local
policies.

As a result of yesterday's weekly log rotate squid threw up another
couple of AVCs related to log_lnk (see below).

I have created another local policy but, do I understand you correctly
Daniel that you may include log_lnk in a future targeted policy?

Here is my new logrotate policy:

===============8<================================= =================

module mylogr 11.2.2;

require {
type mail_spool_t;
type logrotate_t;
type squid_log_t;
class file getattr;
class lnk_file { rename unlink };
}

#============= logrotate_t ==============
allow logrotate_t mail_spool_t:file getattr;
allow logrotate_t squid_log_t:lnk_file { rename unlink };

===============8<================================= =================

Is this OK?

Thanks for any help or suggestions...

Mark

p.s.

Logrotate AVCs

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260331775.761:1220): avc: denied { getattr } for pid=31349 comm="logrotate" path="/mnt/backup/mail/rawmail" dev=sda9 ino=2490369 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_ubject_r:mail_spool_t:s0 tclass=file
node=troodos.org.uk type=SYSCALL msg=audit(1260331775.761:1220): arch=40000003 syscall=196 success=yes exit=0 a0=9e59668 a1=bfd3e864 a2=bf5ff4 a3=1 items=0 ppid=31347 pid=31349 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=257 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260675470.813:43484): avc: denied { rename } for pid=11490 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_ubject_r:squid_log_t:s0 tclass=lnk_file
node=troodos.org.uk type=SYSCALL msg=audit(1260675470.813:43484): arch=40000003 syscall=38 success=yes exit=0 a0=8295138 a1=8298f98 a2=8295068 a3=0 items=0 ppid=11488 pid=11490 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1554 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260675471.68:43485): avc: denied { unlink } for pid=11490 comm="logrotate" name="squidGuard.log.1" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_ubject_r:squid_log_t:s0 tclass=lnk_file
node=troodos.org.uk type=SYSCALL msg=audit(1260675471.68:43485): arch=40000003 syscall=10 success=yes exit=0 a0=8298f98 a1=bfbeffa8 a2=8298f98 a3=bfbeff70 items=0 ppid=11488 pid=11490 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1554 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-15-2009, 03:26 PM
Arthur Dent
 
Default Logrotate frustration

On Tue, 2009-12-15 at 09:39 -0500, Daniel J Walsh wrote:
> On 12/14/2009 05:01 AM, Arthur Dent wrote:
> > On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
> >> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
> >>> On 12/06/2009 04:38 AM, Arthur Dent wrote:

[Snip]

> >>> I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
> >>>
> >>> Are you using a custom logrotate to rotate mail_spool?

[Snip]

> >
> > OK - Following another arm of this thread I have (last week) done a
> > complete relabel and removed my existing fail2ban and logrotate local
> > policies.
> >
> > As a result of yesterday's weekly log rotate squid threw up another
> > couple of AVCs related to log_lnk (see below).
> >
> > I have created another local policy but, do I understand you correctly
> > Daniel that you may include log_lnk in a future targeted policy?
> >
> > Here is my new logrotate policy:
> >
> > ===============8<================================= =================
> >
> > module mylogr 11.2.2;
> >
> > require {
> > type mail_spool_t;
> > type logrotate_t;
> > type squid_log_t;
> > class file getattr;
> > class lnk_file { rename unlink };
> > }
> >
> > #============= logrotate_t ==============
> > allow logrotate_t mail_spool_t:file getattr;
> > allow logrotate_t squid_log_t:lnk_file { rename unlink };
> >
> > ===============8<================================= =================
> >
> > Is this OK?

[Snip]

>
> Yes the squid access will not be needed.
>
> Fixed in selinux-policy-3.6.32-59.fc12.noarch
>
> logrotate looking at /mnt/backup/mail/rawmail
> Looks like a local customization.

Thanks Daniel,

OK - I am running F11:
# rpm -qa | grep -i selinux-policy
selinux-policy-targeted-3.6.12-91.fc11.noarch
selinux-policy-3.6.12-91.fc11.noarch

Will there be a F11 version? (If so what version will it be in?)

In the meantime I should keep using my local policy I guess?...

Thanks again

Mark


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 12-21-2009, 06:21 PM
Daniel J Walsh
 
Default Logrotate frustration

On 12/15/2009 11:26 AM, Arthur Dent wrote:
> On Tue, 2009-12-15 at 09:39 -0500, Daniel J Walsh wrote:
>> On 12/14/2009 05:01 AM, Arthur Dent wrote:
>>> On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
>>>> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
>>>>> On 12/06/2009 04:38 AM, Arthur Dent wrote:
>
> [Snip]
>
>>>>> I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
>>>>>
>>>>> Are you using a custom logrotate to rotate mail_spool?
>
> [Snip]
>
>>>
>>> OK - Following another arm of this thread I have (last week) done a
>>> complete relabel and removed my existing fail2ban and logrotate local
>>> policies.
>>>
>>> As a result of yesterday's weekly log rotate squid threw up another
>>> couple of AVCs related to log_lnk (see below).
>>>
>>> I have created another local policy but, do I understand you correctly
>>> Daniel that you may include log_lnk in a future targeted policy?
>>>
>>> Here is my new logrotate policy:
>>>
>>> ===============8<================================= =================
>>>
>>> module mylogr 11.2.2;
>>>
>>> require {
>>> type mail_spool_t;
>>> type logrotate_t;
>>> type squid_log_t;
>>> class file getattr;
>>> class lnk_file { rename unlink };
>>> }
>>>
>>> #============= logrotate_t ==============
>>> allow logrotate_t mail_spool_t:file getattr;
>>> allow logrotate_t squid_log_t:lnk_file { rename unlink };
>>>
>>> ===============8<================================= =================
>>>
>>> Is this OK?
>
> [Snip]
>
>>
>> Yes the squid access will not be needed.
>>
>> Fixed in selinux-policy-3.6.32-59.fc12.noarch
>>
>> logrotate looking at /mnt/backup/mail/rawmail
>> Looks like a local customization.
>
> Thanks Daniel,
>
> OK - I am running F11:
> # rpm -qa | grep -i selinux-policy
> selinux-policy-targeted-3.6.12-91.fc11.noarch
> selinux-policy-3.6.12-91.fc11.noarch
>
> Will there be a F11 version? (If so what version will it be in?)
>
> In the meantime I should keep using my local policy I guess?...
>
> Thanks again
>
> Mark
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Miroslav,

Could you add this patch to F11?
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 07:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org