Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1163438
Summary: | SELinux is preventing logrotate from 'read' accesses on the directory /var/cache/dnf. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ankur Sinha (FranciscoD) <sanjay.ankur> |
Component: | dnf | Assignee: | Honza Silhan <jsilhan> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | 159024, acc-bugz-redhat, adrigiga, akozumpl, akurtako, amit.shah, amturnip, andrey.k.p, antonio.montagnani, autarch, berend.de.schouwer, bignikita, binary.man, bitlord0xff, bochecha, bugzilla, bugzilla, ceerda, charles.tryon, chmelarz, chrissharp123, coin2028, colomboleandro, cy48833, czerny.jakub, dabbill, daniel, darakus, davidsen, ddtebest, decathorpe, dominick.grift, dreibuchen, drwolf85, dwalsh, edosurina, ejnersan, fco.apg, fedora, flokip, gabrielegualcogm, gfaria.mello, goeran, hancockrwd, hellishglare, herlo1, herrold, honzik.dostal, hsggebhardt, humbertofadel2, ignatenko, i.m.diegogalvis, jamatos, jamescape777, jcosta, jen, jesse_kahtava, jhhaynes, jirinek, jkaluza, jlayton, jlbouras, joseph, jpward1981, jsilhan, jskarvad, jzeleny, kaka.in, keith.burgoyne, keramidasceid, klaus, kvolny, larrylesnett, liblit, lslebodn, luca.botti, luya, lvrabec, l.wandrebeck, marcelo_capital2006, marco.guazzone, marianne, martin, mattia.verga, mfratoni1, mgautier, mgrepl, mhhwhitney, mi2star, milan.kerslager, minuszero, mluscon, mohammeda, mruwek, musa_abuh, pedrompcaetano, petersen, pgervase, plautrba, plazaga, pnemade, quent.haas, ram.premnath, raorn, redhat, rehol3, rholy, rikyinformation, robert.burns, roman.morokutti, sghosh, shark.basketball, sheepdestroyer, shenada, simone.tolotti, soconcar, spider, ssekidde, stamour.robert, stefano.cavallari, stevenvdschoot, temlakos, thub, tla, tmoschou, twim, unaiup, victor, vincent, vlad200, vmalerba, yajo.sk8, zman0900 |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:7b80e5f9b015f82176fa7743742de5e04d39be44a40add15d451261710d50283 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-05-20 13:18:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ankur Sinha (FranciscoD)
2014-11-12 17:00:42 UTC
*** Bug 1173233 has been marked as a duplicate of this bug. *** Does anyone know why logrotate needs read rpm_var_cache dir? Description of problem: this happened somewhere in background, I don't know when or how. I think it might have happened when running dnf as non-privileged user. # grep logrotate /var/log/audit/audit.log type=AVC msg=audit(1418382361.816:491): avc: denied { read } for pid=6456 comm="logrotate" name="dnf" dev="dm-0" ino=13252 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Thank you for your post. I'll wait also for logrotate guys. If they confirm this, I'll add dontaudit rule here. Description of problem: Recent install of Fedora 21 Workstation. Not done much; installed Thunderbird, Keepassx. I ran yum update through muscle memory, maybe I should be running dnf? Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport Description of problem: no idea, just idling Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Appears a short time after the system was started. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686+PAE type: libreport That's really weird. logrotate shouldn't use /var/cache/dnf for rotating logs! /var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } from /etc/logrotate.d/dnf I have the same problem. Description of problem: SELinux is preventing logrotate from read access on the directory /var/cache/dnf. Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path logrotate Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-14 14:31:02 CET Last Seen 2014-12-14 14:31:02 CET Local ID a222f873-33d0-4a5b-87b1-17a758a1eaf9 Raw Audit Messages type=AVC msg=audit(1418563862.85:509): avc: denied { read } for pid=4548 comm="logrotate" name="dnf" dev="dm-1" ino=917797 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read Description of problem: No intervention from my part, it seems like a regular logrotate task. I got the notification from within Gnome Shell. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: User activity at the time of the alert: Browsing the web with Firefox, plus an active ssh session to a remote host. (a KVM guest running on the F21 host machine). Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Showed up the next morning... Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: I upgraded to Fedora 21 workstation a few days ago. SELinux is preventing logrotate access to the folder /var/cache/dnf. I don't know much about SELinux, or this /var/cache/dnf directory. In any case, I got an SELinux Alert, and such an alert should not be generated by default. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: I was simply using Google Chrome to edit Google Docs, like I have many times before, and received notification of this Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: used fedup to install Twenty One have logrotate run from cron Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport (In reply to Quentin Haas from comment #15) > Description of problem: > I was simply using Google Chrome to edit Google Docs, like I have many times > before, and received notification of this > > Version-Release number of selected component: > selinux-policy-3.13.1-99.fc21.noarch > > Additional info: > reporter: libreport-2.3.0 > hashmarkername: setroubleshoot > kernel: 3.17.6-300.fc21.x86_64 > type: libreport To add, I also used fedup to upgrade my Fedora 20 install to Fedora 21 a couple of days ago Description of problem: I presume that cron is automatically running logrotate, since this error occurs every morning. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: /etc/logrotate.d/dnf contains entry for /var/cache/dnf/*/*/hawkey.log dnf-0.6.3-2.fc21.noarch selinux-policy-targeted-3.13.1-99.fc21.noarch Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport Description of problem: SELinux complained that logrotate was trying to access /var/cache/dnf. I haven't touched any settings involving logrotate or this file. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport This is caused by change in dnf package (Bug 1149350), I'm reassigning this to selinux-policy to add selinux rule to fix AVC from Comment 10. If you think, the logs should not be in /var/cache/ or if you have some additional questions, please consult these with "dnf" package maintainers. *** Bug 1173995 has been marked as a duplicate of this bug. *** *** Bug 1173941 has been marked as a duplicate of this bug. *** As pointed by Igor in Comment 9, dnf logrotate configuration file contains following: /var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } So it tries to rotate any hawkey.log in /var/cache/dnf subdirectories' subdirectories :). Description of problem: This error just pops up automatically due to background activities, not due to activity caused by users. Logrotate wants to read cache of dnf. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport commit 8c58acae64e5f8f41d5ea01b9a11ad25e0da3802 Author: Lukas Vrabec <lvrabec> Date: Mon Dec 15 05:06:23 2014 -0500 Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438) Description of problem: Fedora 21 told me with an alert that SELinux forbade logrotate to do something. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Upgraded to F21 (nonproduct, KDE) from F20 At first boot, after some time I got this warning from selinux. I tried "restorecon" just in case the directory was mislabeled for some reason: # restorecon -Rv /var/cache/dnf/ # but as you can see it did not change anything Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-302.fc21.x86_64 type: libreport Description of problem: I did nothing, just has system up and running. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: I got this error without triggering anything, all I know is that the system was idle for more than an hour, with firefox and Software opened. If this keeps repeating , I would be glared to help you with. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport Description of problem: No interaction needed to reproduce this bug on my system. When logrotate runs from cron, the enclosed warning appears. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21 Description of problem: THis just occured when logrotate tried to do its think becuase of the crontab entry. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport Description of problem: I was trying to fix a problem with VLC Player(RPM Fusion), I configured it so it can use a skin but it didn't work, probably an outdated skin file. I was creating/removing archives/files in the folder: /usr/share/vlc/skins2, the problem appeared during the process Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Esta alerta aparece luego de lanzar qbittorrentl, precisamente, cuando comenzó el intercambio de datos en dicho programa. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: A notification about error appeared during browsing internet with Google Chrome. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: just wait for logrotate to kick in. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Nothing done especialy. logrotate run automatically. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport (In reply to Fedora Update System from comment #32) > selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21. > https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21 This fixes it for me, karma left. (In reply to Colin J Thomson from comment #39) > (In reply to Fedora Update System from comment #32) > > selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21. > > https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21 > > This fixes it for me, karma left. The same for me. Karma +1 Description of problem: Was just installing a game called robocraft in steam Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport (In reply to Lukas Slebodnik from comment #40) > (In reply to Colin J Thomson from comment #39) > > (In reply to Fedora Update System from comment #32) > > > selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21. > > > https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21 > > > > This fixes it for me, karma left. > > The same for me. > Karma +1 I'll just add that I believe the same. Since restarting after install at 17:54 GMT there were no error messages from SE Linux. For one hour I restarted with a Live DVD to test something else between 21:20 and 22:20. I think the preceeding 3 hours 25 minutes gave enough time for the scheduled task to complete which has been causing the error message. Description of problem: dnf update Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: I did nothing. This problem occurs on its own from time to time, I guess when logrotate tries to rotate the dnf logs... Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport Description of problem: I believe logrotate should be allowed access, as /etc/logrotate.d/dnf includes this record: /var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } so it is expected to crawl under /var/cache ... Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-302.fc21.x86_64 type: libreport Description of problem: Just saw it pop up in the tray icon. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: SELinux warning produced when logrotate attempts regular rotation of logs in dnf cache directory. This is the default configuration of logrotate and SELinux as far as I know. Relevant block from /etc/logrotate.d/dnf : /var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } Steps to reproduce: - Verify that both SELinux and logrotate are installed in default configuration. (In my case, upgrade from Fedora 20.) - Wait for logrotate to check for hawkey logs inside /var/cache/dnf dir... Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Is this is about logrotate there is nothing that I as a user did at this time. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Didn't do anything. Just popped up in the middle of my session. I guess logrotate + dnf are not SELinux aware. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Happening after fedup upgrade from Fedora 20. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport I confirm comment #40 and comment #42, selinux-policy-3.13.1-103.fc21.noarch fixes the bug. Tnx Description of problem: I got notified of this by SELinux Alert Browser: logrotate wants read access in /var/cache/dnf Happened after system update today Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: My laptop woke up from standby and I saw the SELinux Alert. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: I was using Google Chrome to listen to some music while programming in C in vim in gnome-terminal when I received a notification via the Gnome Shell that this SELinux alert occurred. I was not using dnf, nor have I used dnf. I turned my computer on not long ago and did check for updates via yum but there were none reported, with my last check yesterday. I have not encountered this issue previously, nor do I know the root cause of this SELinux alert. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Package selinux-policy-3.13.1-103.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-103.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-17044/selinux-policy-3.13.1-103.fc21 then log in and leave karma (feedback). Description of problem: I don't now if logrotate should get access to /var/cache/dnf actually, but I regularly get a SELinux alert since some of the latest F21 updates (a few days ago). Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: triggered by cron Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Popped up all of a sudden! Firefox , Anjuta and file manger are opened! Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport Description of problem: I just did write a job application letter in libreoffice writer, when the selinux message appeared. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.1-302.fc21.x86_64 type: libreport I am wondering why we need an SELinux policy fix here. Should there be log files under /var/cache/dnf/* at all? Shouldn't the packaging policy mandate that log file be maintained in /var/log/* ? (In reply to Subhendu Ghosh from comment #60) > I am wondering why we need an SELinux policy fix here. > > Should there be log files under /var/cache/dnf/* at all? > I don't like it either. > Shouldn't the packaging policy mandate that log file be maintained in > /var/log/* ? You can try to reopen BZ1149350. It was closed as not a bug. It happened for me few days ago, and now with updated 'selinux-policy' type=AVC msg=audit(1418834043.147:466): avc: denied { read } for pid=3519 comm="logrotate" name="dnf" dev="dm-1" ino=2628754 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0 selinux-policy-3.13.1-103.fc21.noarch Do I need just to relabel /var/cache/dnf? (restorecon...) Description of problem: Newly installed Fedora 21, no special config at all. It feels like a default policy isn't correctly configured and may be corrected to don't give new users "strange" messages. [root@ynos ~]# rpm -qa dnf* dnf-plugins-core-0.1.4-1.fc21.noarch dnf-0.6.3-2.fc21.noarch [root@ynos ~]# [root@ynos ~]# cat /etc/logrotate.d/dnf /var/log/dnf.log { missingok notifempty size 30k yearly create 0600 root root } /var/log/dnf.rpm.log { missingok notifempty size 30k yearly create 0600 root root } /var/log/dnf.plugin.log { missingok notifempty size 30k yearly create 0600 root root } /var/cache/dnf/*/*/hawkey.log { missingok notifempty size 30k yearly create 0600 root root } Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_cache_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path logrotate Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-99.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux ynos.lagren.com 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-12-17 21:27:02 CET Last Seen 2014-12-17 21:27:02 CET Local ID 925aa451-506e-4416-88df-8fa5987e0ff0 Raw Audit Messages type=AVC msg=audit(1418848022.525:452): avc: denied { read } for pid=3048 comm="logrotate" name="dnf" dev="dm-1" ino=667428 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read /Tomas Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: (Not sure how to reproduce this. Came up with the log rotate action.) Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport selinux-policy-3.13.1-103.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: logrotate runs regularly in the cron. It needs access to various files and directories to clean up old logs. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport Description of problem: This happens after a "dnf update" operation. Not sure if SElinux should allow this interaction. Please review. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: I have no idea, what caused this, the notification just appeared out of nowhere. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Program executed automatically as I was away from my console. But this has never happened before. I recently upgraded from F20 -> F21. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Selinux denials in my happy little Fedora 21 world. Looks to be logrotate that misses something wrt. dnf Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Fixed with latest updates. Thank you. Description of problem: I upgraded from F20 using fedup and --product=nonproduct and used a bit dnf while in Fedora 20 (never used it in F21) This logrotate is configured by the distribution, so I believe that this SELinux error should not happen. (I see it almost everyday) Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport restorecon -R -v /var/cache Should clear it up. Description of problem: It just popped up. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: i´m unaware of the trigger, this mostly pops up after a few minutes logging into the system. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Logrotate runs in the cron. It will also trigger on reboot (anacron). Therefore you'll see the warning shortly after boot/login. You can run it manually using: sudo logrotate -f /etc/logrotate.conf -d That should trigger your warning. If it doesn't trigger, try without -d: sudo logrotate -f /etc/logrotate.conf and, as Daniel said, try: restorecon -R -v /var/cache then try logrotate again. Description of problem: No action on my behalf triggered this bug, it's a default fedora chron execution. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64 type: libreport Description of problem: I assume logrotate started as a scheduled task in the background. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: Upgrade to Fedora 21 from Fedora 20 and SELinux will complain that logrotate attempt sto access files in /var/cache/dnf. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: AVZ happened likely when updating. However, the policy appears broken. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: No tengo idea de como sucedio este problema, solamente estaba navegando en mozilla y aparecio el aviso del error. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport Ran sudo restorecon -R -v /var/cache. Then, sudo logrotate -f /etc/logrotate.conf -d with or without -d did not produce the problem. Appears to be fixed now. Thank you all. Description of problem: This problem occurred after an upgrade to Fedora 21 After the upgrade is not possible to update or uninstall applications Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686+PAE type: libreport Description of problem: Login to gnome Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Description of problem: I don't know. Am running a yumex update right now and it happens to be working on selinux policy targeted Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.i686 type: libreport Please reopen the bug. It happened to me again with selinux-policy-3.13.1-103.fc21.noarch kernel-3.17.7-300.fc21.x86_64 logrotate-3.8.7-4.fc21.x86_64 ----------------------------------- SELinux is preventing logrotate from read access on the directory /var/cache/dnf. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /var/cache/dnf default label should be rpm_var_cache_t. Then you can run restorecon. Do # /sbin/restorecon -v /var/cache/dnf ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow logrotate to have read access on the dnf directory Then you need to change the label on /var/cache/dnf Do # semanage fcontext -a -t FILE_TYPE '/var/cache/dnf' where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_unit_file_t, NetworkManager_var_run_t, abrt_unit_file_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, accountsd_unit_file_t, acct_data_t, admin_home_t, afs_logfile_t, aiccu_var_run_t, aide_log_t, ajaxterm_var_run_t, alsa_unit_file_t, alsa_var_run_t, amanda_log_t, amanda_unit_file_t, antivirus_log_t, antivirus_unit_file_t, antivirus_var_run_t, apcupsd_log_t, apcupsd_unit_file_t, apcupsd_var_run_t, apmd_log_t, apmd_unit_file_t, apmd_var_run_t, arpwatch_unit_file_t, arpwatch_var_run_t, asterisk_log_t, asterisk_var_run_t, audisp_var_run_t, auditd_unit_file_t, auditd_var_run_t, auth_cache_t, automount_unit_file_t, automount_var_run_t, avahi_unit_file_t, avahi_var_run_t, bacula_log_t, bacula_var_run_t, bcfg2_unit_file_t, bcfg2_var_run_t, bin_t, bitlbee_log_t, bitlbee_var_run_t, blktap_var_run_t, blueman_var_run_t, bluetooth_unit_file_t, bluetooth_var_run_t, boinc_log_t, boinc_unit_file_t, boot_t, bootloader_var_run_t, brltty_unit_file_t, brltty_var_run_t, bumblebee_unit_file_t, bumblebee_var_run_t, cachefilesd_var_run_t, calamaris_log_t, callweaver_log_t, callweaver_var_run_t, canna_log_t, canna_var_run_t, cardmgr_var_run_t, ccs_var_lib_t, ccs_var_log_t, ccs_var_run_t, cert_t, certmaster_var_log_t, certmaster_var_run_t, certmonger_var_run_t, cfengine_log_t, cgred_log_t, cgred_var_run_t, cgroup_t, checkpc_log_t, chronyd_unit_file_t, chronyd_var_log_t, chronyd_var_run_t, cinder_api_unit_file_t, cinder_backup_unit_file_t, cinder_log_t, cinder_scheduler_unit_file_t, cinder_var_run_t, cinder_volume_unit_file_t, clogd_var_run_t, cloud_init_unit_file_t, cloud_log_t, cluster_unit_file_t, cluster_var_log_t, cluster_var_run_t, clvmd_var_run_t, cmirrord_var_run_t, cobbler_var_log_t, cockpit_unit_file_t, collectd_unit_file_t, collectd_var_run_t, colord_unit_file_t, comsat_var_run_t, condor_log_t, condor_unit_file_t, condor_var_run_t, conman_log_t, conman_unit_file_t, conman_var_run_t, consolekit_log_t, consolekit_unit_file_t, consolekit_var_run_t, couchdb_log_t, couchdb_unit_file_t, couchdb_var_run_t, courier_var_run_t, cpuplug_var_run_t, cpuspeed_var_run_t, cron_log_t, cron_var_run_t, crond_unit_file_t, crond_var_run_t, ctdbd_log_t, ctdbd_var_run_t, cupsd_config_var_run_t, cupsd_log_t, cupsd_lpd_var_run_t, cupsd_unit_file_t, cupsd_var_run_t, cvs_var_run_t, cyphesis_log_t, cyphesis_var_run_t, cyrus_var_run_t, dbskkd_var_run_t, dbusd_etc_t, dcc_var_run_t, dccd_var_run_t, dccifd_var_run_t, dccm_var_run_t, dcerpcd_var_run_t, ddclient_log_t, ddclient_var_run_t, deltacloudd_log_t, deltacloudd_var_run_t, denyhosts_var_log_t, device_t, devicekit_var_log_t, devicekit_var_run_t, dhcpc_var_run_t, dhcpd_unit_file_t, dhcpd_var_run_t, dictd_var_run_t, dirsrv_snmp_var_log_t, dirsrv_snmp_var_run_t, dirsrv_var_log_t, dirsrv_var_run_t, dkim_milter_data_t, dlm_controld_var_log_t, dlm_controld_var_run_t, dnsmasq_unit_file_t, dnsmasq_var_log_t, dnsmasq_var_run_t, dnssec_trigger_var_run_t, docker_log_t, docker_unit_file_t, docker_var_run_t, dovecot_var_log_t, dovecot_var_run_t, dspam_log_t, dspam_var_run_t, entropyd_var_run_t, etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_log_t, evtchnd_var_run_t, exim_log_t, exim_var_run_t, fail2ban_log_t, fail2ban_var_run_t, faillog_t, fcoemon_var_run_t, fenced_var_log_t, fenced_var_run_t, fetchmail_log_t, fetchmail_var_run_t, file_context_t, fingerd_log_t, fingerd_var_run_t, firewalld_unit_file_t, firewalld_var_log_t, firewalld_var_run_t, foghorn_var_log_t, foghorn_var_run_t, fonts_cache_t, fonts_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_bmc_watchdog_var_run_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmidetectd_var_run_t, freeipmi_ipmiseld_unit_file_t, freeipmi_ipmiseld_var_run_t, fsadm_log_t, fsadm_var_run_t, fsdaemon_var_run_t, ftpd_unit_file_t, ftpd_var_run_t, games_srv_var_run_t, gdomap_var_run_t, gear_log_t, gear_unit_file_t, gear_var_run_t, getty_log_t, getty_unit_file_t, getty_var_run_t, gfs_controld_var_log_t, gfs_controld_var_run_t, glance_api_unit_file_t, glance_log_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t, glance_var_run_t, glusterd_log_t, glusterd_var_run_t, gpm_var_run_t, gpsd_var_run_t, greylist_milter_data_t, groupd_var_log_t, groupd_var_run_t, gssproxy_unit_file_t, gssproxy_var_run_t, haproxy_unit_file_t, haproxy_var_log_t, haproxy_var_run_t, httpd_config_t, httpd_log_t, httpd_sys_rw_content_t, httpd_unit_file_t, httpd_var_run_t, hwdata_t, hypervkvp_unit_file_t, hypervvssd_unit_file_t, icecast_log_t, icecast_var_run_t, ifconfig_var_run_t, inetd_child_var_run_t, inetd_log_t, inetd_var_run_t, init_var_run_t, initrc_var_log_t, initrc_var_run_t, innd_log_t, innd_var_run_t, insmod_var_run_t, iodined_unit_file_t, ipa_otpd_unit_file_t, ipsec_log_t, ipsec_mgmt_unit_file_t, ipsec_mgmt_var_run_t, ipsec_var_run_t, iptables_unit_file_t, iptables_var_run_t, irqbalance_var_run_t, iscsi_log_t, iscsi_unit_file_t, iscsi_var_run_t, isnsd_var_run_t, iwhd_log_t, iwhd_var_run_t, jetty_log_t, jetty_var_run_t, jockey_var_log_t, kadmind_log_t, kadmind_var_run_t, kdump_unit_file_t, keepalived_unit_file_t, keepalived_var_run_t, keystone_log_t, keystone_unit_file_t, keystone_var_run_t, kismet_log_t, kismet_var_run_t, klogd_var_run_t, kmscon_unit_file_t, krb5kdc_log_t, krb5kdc_var_run_t, ksmtuned_log_t, ksmtuned_unit_file_t, ksmtuned_var_run_t, ktalkd_log_t, ktalkd_unit_file_t, l2tpd_var_run_t, lastlog_t, lib_t, lircd_var_run_t, lldpad_var_run_t, locale_t, locate_var_run_t, logrotate_tmp_t, logrotate_var_lib_t, logwatch_var_run_t, lpd_var_run_t, lsassd_var_run_t, lsmd_unit_file_t, lsmd_var_run_t, lvm_unit_file_t, lvm_var_run_t, lwiod_var_run_t, lwregd_var_run_t, lwsmd_var_run_t, mailman_log_t, mailman_var_run_t, man_cache_t, man_t, mcelog_log_t, mcelog_var_run_t, mdadm_unit_file_t, mdadm_var_run_t, memcached_var_run_t, minidlna_log_t, minidlna_var_run_t, minissdpd_var_run_t, mip6d_unit_file_t, mirrormanager_log_t, mirrormanager_var_run_t, mock_var_run_t, modemmanager_unit_file_t, mon_statd_var_run_t, mongod_log_t, mongod_var_run_t, motion_log_t, motion_unit_file_t, motion_var_run_t, mount_var_run_t, mpd_log_t, mpd_var_run_t, mrtg_log_t, mrtg_var_run_t, mscan_var_run_t, munin_etc_t, munin_log_t, munin_var_run_t, mysqld_etc_t, mysqld_log_t, mysqld_unit_file_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, mythtv_var_log_t, naemon_log_t, naemon_var_run_t, nagios_log_t, nagios_var_run_t, named_cache_t, named_log_t, named_unit_file_t, named_var_run_t, net_conf_t, netlabel_mgmt_unit_file_t, netlogond_var_run_t, neutron_log_t, neutron_unit_file_t, neutron_var_run_t, nfsd_unit_file_t, ninfod_run_t, ninfod_unit_file_t, nis_unit_file_t, nmbd_var_run_t, nova_ajax_unit_file_t, nova_api_unit_file_t, nova_cert_unit_file_t, nova_compute_unit_file_t, nova_conductor_unit_file_t, nova_console_unit_file_t, nova_direct_unit_file_t, nova_log_t, nova_network_unit_file_t, nova_objectstore_unit_file_t, nova_scheduler_unit_file_t, nova_var_run_t, nova_vncproxy_unit_file_t, nova_volume_unit_file_t, nrpe_var_run_t, nscd_log_t, nscd_unit_file_t, nscd_var_run_t, nsd_var_run_t, nslcd_var_run_t, ntop_var_run_t, ntpd_log_t, ntpd_unit_file_t, ntpd_var_run_t, numad_unit_file_t, numad_var_log_t, numad_var_run_t, nut_unit_file_t, nut_var_run_t, nx_server_var_run_t, oddjob_unit_file_t, oddjob_var_run_t, openct_var_run_t, openhpid_var_run_t, openshift_log_t, openshift_var_lib_t, openshift_var_run_t, opensm_log_t, opensm_unit_file_t, openvpn_status_t, openvpn_var_log_t, openvpn_var_run_t, openvswitch_log_t, openvswitch_unit_file_t, openvswitch_var_run_t, openwsman_log_t, openwsman_run_t, openwsman_unit_file_t, osad_log_t, osad_var_run_t, pads_var_run_t, pam_var_console_t, pam_var_run_t, passenger_log_t, passenger_var_run_t, pcp_log_t, pcp_var_run_t, pcscd_var_run_t, pegasus_openlmi_storage_var_run_t, pegasus_var_run_t, pesign_unit_file_t, pesign_var_run_t, phc2sys_unit_file_t, piranha_fos_var_run_t, piranha_log_t, piranha_lvs_var_run_t, piranha_pulse_var_run_t, piranha_web_var_run_t, pkcs_slotd_var_run_t, pki_ra_log_t, pki_ra_var_run_t, pki_tomcat_log_t, pki_tomcat_unit_file_t, pki_tomcat_var_run_t, pki_tps_log_t, pki_tps_var_run_t, plymouthd_var_log_t, plymouthd_var_run_t, policykit_var_run_t, polipo_log_t, polipo_pid_t, polipo_unit_file_t, portmap_var_run_t, portreserve_var_run_t, postfix_postdrop_t, postfix_var_run_t, postgresql_log_t, postgresql_var_run_t, postgrey_var_run_t, power_unit_file_t, pppd_log_t, pppd_unit_file_t, pppd_var_run_t, pptp_log_t, pptp_var_run_t, prelink_log_t, prelude_audisp_var_run_t, prelude_lml_var_run_t, prelude_log_t, prelude_var_run_t, privoxy_log_t, privoxy_var_run_t, proc_t, procmail_log_t, prosody_unit_file_t, prosody_var_run_t, psad_var_log_t, psad_var_run_t, ptal_var_run_t, ptp4l_unit_file_t, pulseaudio_var_run_t, puppet_log_t, puppet_var_run_t, pwauth_var_run_t, pyicqt_log_t, pyicqt_var_run_t, qdiskd_var_log_t, qdiskd_var_run_t, qemu_var_run_t, qpidd_var_run_t, quota_nld_var_run_t, rabbitmq_unit_file_t, rabbitmq_var_log_t, rabbitmq_var_run_t, radiusd_log_t, radiusd_unit_file_t, radiusd_var_run_t, radvd_var_run_t, rasdaemon_unit_file_t, rdisc_unit_file_t, readahead_var_run_t, redis_log_t, redis_unit_file_t, redis_var_run_t, regex_milter_data_t, restorecond_var_run_t, rhev_agentd_log_t, rhev_agentd_unit_file_t, rhev_agentd_var_run_t, rhnsd_unit_file_t, rhnsd_var_run_t, rhsmcertd_log_t, rhsmcertd_var_run_t, ricci_modcluster_var_log_t, ricci_modcluster_var_run_t, ricci_var_log_t, ricci_var_run_t, rlogind_var_run_t, rngd_unit_file_t, rngd_var_run_t, rolekit_unit_file_t, root_t, roundup_var_run_t, rpcbind_var_run_t, rpcd_unit_file_t, rpcd_var_run_t, rpm_log_t, rpm_var_cache_t, rpm_var_run_t, rsync_log_t, rsync_var_run_t, rtas_errd_log_t, rtas_errd_unit_file_t, rtas_errd_var_run_t, samba_etc_t, samba_log_t, samba_unit_file_t, sanlock_log_t, sanlock_unit_file_t, sanlock_var_run_t, saslauthd_var_run_t, sblim_var_run_t, screen_var_run_t, sectool_var_log_t, security_t, sendmail_log_t, sendmail_var_run_t, sensord_log_t, sensord_unit_file_t, sensord_var_run_t, setrans_var_run_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t, shell_exec_t, shorewall_log_t, slapd_log_t, slapd_unit_file_t, slapd_var_run_t, slpd_log_t, slpd_var_run_t, smbd_var_run_t, smokeping_var_run_t, smsd_log_t, smsd_var_run_t, snapperd_log_t, snmpd_log_t, snmpd_var_run_t, snort_log_t, snort_var_run_t, sosreport_var_run_t, soundd_var_run_t, spamass_milter_data_t, spamd_log_t, spamd_var_run_t, speech-dispatcher_log_t, speech-dispatcher_unit_file_t, squid_log_t, squid_var_run_t, src_t, srvsvcd_var_run_t, sshd_keygen_unit_file_t, sshd_unit_file_t, sshd_var_run_t, sssd_public_t, sssd_unit_file_t, sssd_var_log_t, sssd_var_run_t, stapserver_log_t, stapserver_var_run_t, stunnel_var_run_t, svnserve_unit_file_t, svnserve_var_run_t, swat_var_run_t, swift_unit_file_t, swift_var_run_t, sysfs_t, syslogd_var_run_t, sysstat_log_t, system_conf_t, system_cronjob_var_run_t, system_db_t, system_dbusd_var_run_t, systemd_logind_inhibit_var_run_t, systemd_logind_sessions_t, systemd_logind_var_run_t, systemd_networkd_unit_file_t, systemd_networkd_var_run_t, systemd_passwd_var_run_t, systemd_runtime_unit_file_t, systemd_unit_file_t, systemd_vconsole_unit_file_t, telnetd_var_run_t, textrel_shlib_t, tftpd_var_run_t, tgtd_var_run_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_var_run_t, thin_log_t, thin_var_run_t, timemaster_unit_file_t, timemaster_var_run_t, tmp_t, tomcat_log_t, tomcat_unit_file_t, tomcat_var_run_t, tor_unit_file_t, tor_var_log_t, tor_var_run_t, tuned_log_t, tuned_var_run_t, udev_var_run_t, ulogd_var_log_t, uml_switch_var_run_t, usbmuxd_unit_file_t, usbmuxd_var_run_t, user_home_dir_t, useradd_var_run_t, usr_t, uucpd_log_t, uucpd_var_run_t, uuidd_var_run_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_spool_t, varnishd_var_run_t, varnishlog_log_t, varnishlog_var_run_t, vdagent_log_t, vdagent_var_run_t, vhostmd_var_run_t, virt_cache_t, virt_log_t, virt_lxc_var_run_t, virt_qemu_ga_log_t, virt_qemu_ga_var_run_t, virt_var_run_t, virtd_unit_file_t, vmtools_unit_file_t, vmware_host_pid_t, vmware_log_t, vmware_pid_t, vnstatd_var_run_t, vpnc_var_run_t, watchdog_log_t, watchdog_var_run_t, wdmd_var_run_t, winbind_log_t, winbind_var_run_t, wtmp_t, xdm_log_t, xdm_var_run_t, xenconsoled_var_run_t, xend_var_log_t, xend_var_run_t, xenstored_var_log_t, xenstored_var_run_t, xferlog_t, xserver_log_t, xserver_var_run_t, ypbind_unit_file_t, ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t, ypxfr_var_run_t, zabbix_log_t, zabbix_var_run_t, zarafa_deliver_log_t, zarafa_deliver_var_run_t, zarafa_gateway_log_t, zarafa_gateway_var_run_t, zarafa_ical_log_t, zarafa_ical_var_run_t, zarafa_indexer_log_t, zarafa_indexer_var_run_t, zarafa_monitor_log_t, zarafa_monitor_var_run_t, zarafa_server_log_t, zarafa_server_var_run_t, zarafa_spooler_log_t, zarafa_spooler_var_run_t, zebra_log_t, zebra_unit_file_t, zebra_var_run_t, zoneminder_log_t, zoneminder_unit_file_t, zoneminder_var_run_t. Then execute: restorecon -v '/var/cache/dnf' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that logrotate should be allowed read access on the dnf directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep logrotate /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:var_t:s0 Target Objects /var/cache/dnf [ dir ] Source logrotate Source Path logrotate Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-103.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.17.7-300.fc21.x86_64 #1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64 Alert Count 5 First Seen 2014-12-19 20:06:01 CET Last Seen 2014-12-23 11:09:02 CET Local ID 17c3f239-ca34-43a5-bf7b-007759398fbf Raw Audit Messages type=AVC msg=audit(1419329342.120:781): avc: denied { read } for pid=8142 comm="logrotate" name="dnf" dev="sda6" ino=1181107 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0 Hash: logrotate,logrotate_t,var_t,dir,read The fix has not made it into a Fedora 21 package yet. Lucas can you get d4d825f5a15b46014f482ce7fede179b10af92e1 b955f9ec993f38d61dc42048d61ad425f7ea230a and 50113238bb5a4fb13fd9f7559b348203dc7327ea back ported into f21. Lucas also add a restorecon -R -v /var/cache/dnf to the post install script. Description of problem: I ran `touch /.autorelable` then rebooted several hours before this error happened. The machine was left unattended for some time after the reboot, but auto-login is enabled. Error was displayed on the lock screen when I returned to the machine. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport SELinux is no longer preventing logrotate from read access on the directory /var/cache/dnf after I enabled repo updates-testing and updated selinux-policy-3.13.1-103.fc21. Now when I manually start logrotate, the output is as following; rotating pattern: /var/cache/dnf/*/*/hawkey.log forced from command line (4 rotations) empty log files are not rotated, old logs are removed considering log /var/cache/dnf/x86_64/21/hawkey.log log needs rotating rotating log /var/cache/dnf/x86_64/21/hawkey.log, log->rotateCount is 4 dateext suffix '-20141229' glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]' glob finding old rotated logs failed fscreate context set to system_u:object_r:rpm_var_cache_t:s0 renaming /var/cache/dnf/x86_64/21/hawkey.log to /var/cache/dnf/x86_64/21/hawkey.log-20141229 creating new /var/cache/dnf/x86_64/21/hawkey.log mode = 0600 uid = 0 gid = 0 I haven't seen any other issues with this testing SELinux update package yet. Description of problem: Al parecer al intentar abrir un archivo .log Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Today I got warnings from the logrotate execution: error: error opening /var/cache/dnf/x86_64/21/hawkey.log: Permission denied The configuration says "yearly", so I guess that is why I haven't got the message until today. However, I don't see any AVCs logged at the time. And DAC allows everyone to read the file. Could there be something dontaudited that confuses things? This is with selinux-policy-targeted-3.13.1-103.fc21 plus a local module that does allow logrotate_t rpm_var_cache_t:dir read; I'll experiment a bit and see if I can figure out what I need to add to my local policy, but the absence of reported AVCs makes it a bit more complicated. Why is hawkey.log under /var/cach/dnf? Shouldn't this be in /var/log? That was my initial reaction too, but Jan Silhan explained why it is the way it is in bug 1149350, comment 1. dnf log files should be in /var/log/dnf/ Should I report the logs in the wrong place as a separate bug? If they need to be separate they can be in /var/log/dnf/{subdir} and the subdir can be based on time, PID, whatever is needful, I see the reason they are separated, but still counld be in the right place. And if /var/log/dnf must be a file, then /var/log/dnf-whatever directory could be used. People do things to preserve /var/log and shouldn't have to take special care with /var/lib just because someone wanted to put a log there. (In reply to Bill Davidsen from comment #97) > Should I report the logs in the wrong place as a separate bug? No need yet, I'm reassigning this bug to my team for further evaluation. In case anyone more than me wants log rotation right now, I believe these SELinux rules are enough. Probably they allow too much. But it's just an interim solution anyway, until we have a permanent solution. rw_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t) rename_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t) create_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t) setattr_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t) I changed hawkey C API to accept custom path to log file so dnf will set it as `/var/log/hawkey.log`. PR here: https://github.com/rpm-software-management/hawkey/pull/77 *** Bug 1175434 has been marked as a duplicate of this bug. *** Description of problem: From a basic Workstation install with updates, it looks like this happened the next time logrotate ran after those updates. It looks like dnf keeps a hawkey.log file in /var/cache/dnf and logrotate is trying to rotate it. Version-Release number of selected component: selinux-policy-3.13.1-99.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport Sorry for delay. I added fixes to F21. *** Bug 1178003 has been marked as a duplicate of this bug. *** Could someone close this bug? I cannot see this bug anymore. |