When installing a policy rpm, one cannot log the install activity w/o generating avc errors. For example:
rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
produces the following violation:
type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59 success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0 ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon" exe="/sbin/restorecon" subj=root:system_r:restorecon_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1219774608.030:789): avc: denied { write } for pid=2875 comm="restorecon" path="/var/log/rpm-update.log" dev=md2 ino=2694055 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_log_t:s0 tclass=file
The problems seems to stem from recording the %post script's attempts to relabel files affected by the policy, specifically:
/sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm; /sbin/restorecon -F -R -v /etc/opt/ft/asn; /sbin/restorecon -F -R -v /var/opt/ft/asn; /sbin/restorecon -F -R -v /var/opt/ft/log;
Is there any way to preserve the logging w/o disabling selinux for the duration of the install?
FWIW, the rpm commands are executed from a bash script.
On Tue, 26 Aug 2008 16:02:15 -0400 "Johnson, Richard" Richard.Johnson@stratus.com wrote:
When installing a policy rpm, one cannot log the install activity w/o generating avc errors. For example:
rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
produces the following violation:
type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59 success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0 ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon" exe="/sbin/restorecon" subj=root:system_r:restorecon_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1219774608.030:789): avc: denied { write } for pid=2875 comm="restorecon" path="/var/log/rpm-update.log" dev=md2 ino=2694055 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_log_t:s0 tclass=file
The problems seems to stem from recording the %post script's attempts to relabel files affected by the policy, specifically:
/sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm; /sbin/restorecon -F -R -v /etc/opt/ft/asn; /sbin/restorecon -F -R -v /var/opt/ft/asn; /sbin/restorecon -F -R -v /var/opt/ft/log;
Is there any way to preserve the logging w/o disabling selinux for the duration of the install?
FWIW, the rpm commands are executed from a bash script.
You could try logging to a file with a different context type, e.g.
rpm -i lsb-ft-asn-selinux > /tmp/rpm-update.log
and then move the resulting file to /var/log if you need it to be there. I'm not sure if restorecon_t can write to temp files but it's probably more likely that writing to var_log_t, which is currently what's being denied.
Paul.
On Tue, 26 Aug 2008 8:05 PM "Paul Howarth" paul@city-fan.org wrote:
On Tue, 26 Aug 2008 16:02:15 -0400 "Johnson, Richard" Richard.Johnson@stratus.com wrote:
When installing a policy rpm, one cannot log the install activity
w/o
generating avc errors. For example:
rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
produces the following violation:
type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59 success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0 ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon" exe="/sbin/restorecon"
subj=root:system_r:restorecon_t:s0-s0:c0.c1023
key=(null) type=AVC msg=audit(1219774608.030:789): avc: denied { write } for pid=2875 comm="restorecon" path="/var/log/rpm-update.log" dev=md2 ino=2694055 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_log_t:s0 tclass=file
The problems seems to stem from recording the %post script's
attempts
to relabel files affected by the policy, specifically:
/sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm; /sbin/restorecon -F -R -v /etc/opt/ft/asn; /sbin/restorecon -F -R -v /var/opt/ft/asn; /sbin/restorecon -F -R -v /var/opt/ft/log;
Is there any way to preserve the logging w/o disabling selinux for
the
duration of the install?
FWIW, the rpm commands are executed from a bash script.
You could try logging to a file with a different context type, e.g.
rpm -i lsb-ft-asn-selinux > /tmp/rpm-update.log
and then move the resulting file to /var/log if you need it to be there. I'm not sure if restorecon_t can write to temp files but it's probably more likely that writing to var_log_t, which is currently what's being denied.
I wish it were as simple as using a tmp_t:file. I tried that, and the answer's no.
I suppose the general process would be a script that: - creates a temporary file - label it--silently, to avoid an avc logging the activity - do the restorecon. - cat the temporary file to stdout. - and the various complications of cleanup should an error occur - and replicating the encapsulation in both %post and %postun scripts.
For my understanding: If it were to work, what's gained by restricting restorecon from logging directly?
--rich
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Johnson, Richard wrote:
When installing a policy rpm, one cannot log the install activity w/o generating avc errors. For example:
rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
produces the following violation:
type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59 success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0 ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon" exe="/sbin/restorecon" subj=root:system_r:restorecon_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1219774608.030:789): avc: denied { write } for pid=2875 comm="restorecon" path="/var/log/rpm-update.log" dev=md2 ino=2694055 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_log_t:s0 tclass=file
The problems seems to stem from recording the %post script's attempts to relabel files affected by the policy, specifically:
/sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm; /sbin/restorecon -F -R -v /etc/opt/ft/asn; /sbin/restorecon -F -R -v /var/opt/ft/asn; /sbin/restorecon -F -R -v /var/opt/ft/log;
Is there any way to preserve the logging w/o disabling selinux for the duration of the install?
FWIW, the rpm commands are executed from a bash script.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Answered in
http://danwalsh.livejournal.com/22860.html
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Johnson, Richard -
Paul Howarth