Hi All,
I am attempting to use logrotate to rotate a log file with the unlabeled_t context, as it turns out SELinux is not happy about this and denies logrotate access to the log file.
What's the preferred method here to allow access? I used audit2allow and installed the .pp but but was reading some docs[0] and wanted to double check my solution.
The points in the docs were that I wanted to check on were "Missing TE rules are usually caused by bugs in SELinux policy and should be reports.." Should I report my particular instance as a bug?
"Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review."
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Li nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security- Enhanced_Linux-Troubleshooting-Fixing_Problems.html
Hi Jason,
----- Original Message -----
From: "jason" jtfas90@gmail.com To: selinux@lists.fedoraproject.org Sent: Friday, December 11, 2015 2:51:48 PM Subject: logrotate and unlabeled_t
Hi All,
I am attempting to use logrotate to rotate a log file with the unlabeled_t context, as it turns out SELinux is not happy about this and denies logrotate access to the log file.
unlabeled_t in this case would indicate the file has no security context
What's the preferred method here to allow access? I used audit2allow and installed the .pp but but was reading some docs[0] and wanted to double check my solution.
Label the file with the appropriate logfile type supported by logrotate
sesearch -A -s logrotate_t -c file
The points in the docs were that I wanted to check on were "Missing TE rules are usually caused by bugs in SELinux policy and should be reports.." Should I report my particular instance as a bug?
"Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review."
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Li nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security- Enhanced_Linux-Troubleshooting-Fixing_Problems.html -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Hi Jason,
On 12/11/2015 08:51 PM, jason wrote:
Hi All,
I am attempting to use logrotate to rotate a log file with the unlabeled_t context, as it turns out SELinux is not happy about this and denies logrotate access to the log file.
logrotate should run under logrotate_t SELinux context. I would recommend you to fix all security context on your system using: # restorecon -R -v /
After this, logrotate should run under logrotate_t SELinux content.
What's the preferred method here to allow access? I used audit2allow and installed the .pp but but was reading some docs[0] and wanted to double check my solution.
The points in the docs were that I wanted to check on were "Missing TE rules are usually caused by bugs in SELinux policy and should be reports.." Should I report my particular instance as a bug?
Could you attach AVC msgs using: # ausearch -m AVC
We can analyze this msgs and figure out if it some bug in SELinux policy or create some local SELinux module for you.
"Modules created with audit2allow may allow more access than required.
True, you should always properly read AVC msg and allow just what is mentioned in AVC msg. Tool audit2allow can use too generic rule as fix and this is wrong habit for writing policies.
It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review."
You can attach your local policy also here for checking. :)
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Li nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security- Enhanced_Linux-Troubleshooting-Fixing_Problems.html -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Regards, Lukas.
On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote:
Hi Jason,
On 12/11/2015 08:51 PM, jason wrote:
Hi All,
I am attempting to use logrotate to rotate a log file with the unlabeled_t context, as it turns out SELinux is not happy about this and denies logrotate access to the log file.
logrotate should run under logrotate_t SELinux context. I would recommend you to fix all security context on your system using: # restorecon -R -v /
After this, logrotate should run under logrotate_t SELinux content.
What's the preferred method here to allow access? I used audit2allow and installed the .pp but but was reading some docs[0] and wanted to double check my solution.
The points in the docs were that I wanted to check on were "Missing TE rules are usually caused by bugs in SELinux policy and should be reports.." Should I report my particular instance as a bug?
Could you attach AVC msgs using: # ausearch -m AVC
We can analyze this msgs and figure out if it some bug in SELinux policy or create some local SELinux module for you.
"Modules created with audit2allow may allow more access than required.
True, you should always properly read AVC msg and allow just what is mentioned in AVC msg. Tool audit2allow can use too generic rule as fix and this is wrong habit for writing policies.
It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review."
You can attach your local policy also here for checking. :)
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterpris e_Li nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security- Enhanced_Linux-Troubleshooting-Fixing_Problems.html -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj ect.org
Regards, Lukas.
After attempting to change the context of the log file and getting a permission denied. It seems selinux won't let me just change the context to anything I want :)
So here is some more information, since I want to make sure I do this the right way.
We have an application writing logs to /${app}/logs/my.log. The current context of the directory/files are unconfined_u:object_r:unlabeled_t:s0.
Previously we were not rotating logs, I would like to use logrotate to manage these logs. We are currently running centos-release-7- 1.1503.el7.centos.2.8 in targeted/enforcing mode.
The message in /var/log/audit/audit.log I am seeing is: type=AVC msg=audit(1450064522.450:248945): avc: denied { getattr } for pid=39492 comm="logrotate" "/app/logs/my.log" dev="sdb1" ino=4294971394 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
Thanks in advance!
JT
On 12/14/2015 03:18 PM, jason wrote:
On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote:
Hi Jason,
On 12/11/2015 08:51 PM, jason wrote:
Hi All,
I am attempting to use logrotate to rotate a log file with the unlabeled_t context, as it turns out SELinux is not happy about this and denies logrotate access to the log file.
logrotate should run under logrotate_t SELinux context. I would recommend you to fix all security context on your system using: # restorecon -R -v /
After this, logrotate should run under logrotate_t SELinux content.
What's the preferred method here to allow access? I used audit2allow and installed the .pp but but was reading some docs[0] and wanted to double check my solution.
The points in the docs were that I wanted to check on were "Missing TE rules are usually caused by bugs in SELinux policy and should be reports.." Should I report my particular instance as a bug?
Could you attach AVC msgs using: # ausearch -m AVC
We can analyze this msgs and figure out if it some bug in SELinux policy or create some local SELinux module for you.
"Modules created with audit2allow may allow more access than required.
True, you should always properly read AVC msg and allow just what is mentioned in AVC msg. Tool audit2allow can use too generic rule as fix and this is wrong habit for writing policies.
It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review."
You can attach your local policy also here for checking. :)
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterpris e_Li nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security- Enhanced_Linux-Troubleshooting-Fixing_Problems.html -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj ect.org
Regards, Lukas.
After attempting to change the context of the log file and getting a permission denied. It seems selinux won't let me just change the context to anything I want :)
So here is some more information, since I want to make sure I do this the right way.
We have an application writing logs to /${app}/logs/my.log. The current context of the directory/files are unconfined_u:object_r:unlabeled_t:s0.
Previously we were not rotating logs, I would like to use logrotate to manage these logs. We are currently running centos-release-7- 1.1503.el7.centos.2.8 in targeted/enforcing mode.
The message in /var/log/audit/audit.log I am seeing is: type=AVC msg=audit(1450064522.450:248945): avc: denied { getattr } for pid=39492 comm="logrotate" "/app/logs/my.log" dev="sdb1" ino=4294971394 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
Is it a mount point?
Thanks in advance!
JT
selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
On Mon, 2015-12-14 at 15:43 +0100, Miroslav Grepl wrote:
On 12/14/2015 03:18 PM, jason wrote:
On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote:
Hi Jason,
On 12/11/2015 08:51 PM, jason wrote:
Hi All,
I am attempting to use logrotate to rotate a log file with the unlabeled_t context, as it turns out SELinux is not happy about this and denies logrotate access to the log file.
logrotate should run under logrotate_t SELinux context. I would recommend you to fix all security context on your system using: # restorecon -R -v /
After this, logrotate should run under logrotate_t SELinux content.
What's the preferred method here to allow access? I used audit2allow and installed the .pp but but was reading some docs[0] and wanted to double check my solution.
The points in the docs were that I wanted to check on were "Missing TE rules are usually caused by bugs in SELinux policy and should be reports.." Should I report my particular instance as a bug?
Could you attach AVC msgs using: # ausearch -m AVC
We can analyze this msgs and figure out if it some bug in SELinux policy or create some local SELinux module for you.
"Modules created with audit2allow may allow more access than required.
True, you should always properly read AVC msg and allow just what is mentioned in AVC msg. Tool audit2allow can use too generic rule as fix and this is wrong habit for writing policies.
It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review."
You can attach your local policy also here for checking. :)
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enter pris e_Li nux/7/html/SELinux_Users_and_Administrators_Guide/sect- Security- Enhanced_Linux-Troubleshooting-Fixing_Problems.html -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedora proj ect.org
Regards, Lukas.
After attempting to change the context of the log file and getting a permission denied. It seems selinux won't let me just change the context to anything I want :)
So here is some more information, since I want to make sure I do this the right way.
We have an application writing logs to /${app}/logs/my.log. The current context of the directory/files are unconfined_u:object_r:unlabeled_t:s0.
Previously we were not rotating logs, I would like to use logrotate to manage these logs. We are currently running centos-release-7- 1.1503.el7.centos.2.8 in targeted/enforcing mode.
The message in /var/log/audit/audit.log I am seeing is: type=AVC msg=audit(1450064522.450:248945): avc: denied { getattr } for pid=39492 comm="logrotate" "/app/logs/my.log" dev="sdb1" ino=4294971394 scontext=system_u:system_r:logrotate_t:s0- s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
Is it a mount point?
Thanks in advance!
JT
selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj ect.org
/${app} is yes.
JT
On 12/14/2015 03:46 PM, jason wrote:
On Mon, 2015-12-14 at 15:43 +0100, Miroslav Grepl wrote:
On 12/14/2015 03:18 PM, jason wrote:
On Sun, 2015-12-13 at 14:20 +0100, Lukas Vrabec wrote:
Hi Jason,
On 12/11/2015 08:51 PM, jason wrote:
Hi All,
I am attempting to use logrotate to rotate a log file with the unlabeled_t context, as it turns out SELinux is not happy about this and denies logrotate access to the log file.
logrotate should run under logrotate_t SELinux context. I would recommend you to fix all security context on your system using: # restorecon -R -v /
After this, logrotate should run under logrotate_t SELinux content.
What's the preferred method here to allow access? I used audit2allow and installed the .pp but but was reading some docs[0] and wanted to double check my solution.
The points in the docs were that I wanted to check on were "Missing TE rules are usually caused by bugs in SELinux policy and should be reports.." Should I report my particular instance as a bug?
Could you attach AVC msgs using: # ausearch -m AVC
We can analyze this msgs and figure out if it some bug in SELinux policy or create some local SELinux module for you.
"Modules created with audit2allow may allow more access than required.
True, you should always properly read AVC msg and allow just what is mentioned in AVC msg. Tool audit2allow can use too generic rule as fix and this is wrong habit for writing policies.
It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review."
You can attach your local policy also here for checking. :)
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enter pris e_Li nux/7/html/SELinux_Users_and_Administrators_Guide/sect- Security- Enhanced_Linux-Troubleshooting-Fixing_Problems.html -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedora proj ect.org
Regards, Lukas.
After attempting to change the context of the log file and getting a permission denied. It seems selinux won't let me just change the context to anything I want :)
So here is some more information, since I want to make sure I do this the right way.
We have an application writing logs to /${app}/logs/my.log. The current context of the directory/files are unconfined_u:object_r:unlabeled_t:s0.
Previously we were not rotating logs, I would like to use logrotate to manage these logs. We are currently running centos-release-7- 1.1503.el7.centos.2.8 in targeted/enforcing mode.
The message in /var/log/audit/audit.log I am seeing is: type=AVC msg=audit(1450064522.450:248945): avc: denied { getattr } for pid=39492 comm="logrotate" "/app/logs/my.log" dev="sdb1" ino=4294971394 scontext=system_u:system_r:logrotate_t:s0- s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
Is it a mount point?
Thanks in advance!
JT
selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproj ect.org
/${app} is yes.
So use: context="system_u:object_r:var_log_t:s0" this as mount option. This label mount point as var_log_t. For more info see mount man pages.
JT
selinux@lists.fedoraproject.org
-
jason taylor -
Lukas Vrabec -
Miroslav Grepl -
Simon Sekidde