*** Bug 1173233 has been marked as a duplicate of this bug. ***

Does anyone know why logrotate needs read rpm_var_cache dir?

Description of problem:
this happened somewhere in background, I don't know when or how. I think it might have happened when running dnf as non-privileged user.

# grep logrotate /var/log/audit/audit.log
type=AVC msg=audit(1418382361.816:491): avc:  denied  { read } for  pid=6456 comm="logrotate" name="dnf" dev="dm-0" ino=13252 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Thank you for your post. 
I'll wait also for logrotate guys. If they confirm this, I'll add dontaudit rule here.

Description of problem:
Recent install of Fedora 21 Workstation. Not done much; installed Thunderbird, Keepassx. I ran yum update through muscle memory, maybe I should be running dnf?

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Description of problem:
no idea, just idling

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Appears a short time after the system was started.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.i686+PAE
type:           libreport

That's really weird. logrotate shouldn't use /var/cache/dnf for rotating logs!

/var/cache/dnf/*/*/hawkey.log {
    missingok
    notifempty
    size 30k
    yearly
    create 0600 root root
}


from /etc/logrotate.d/dnf

I have the same problem.

Description of problem:
SELinux is preventing logrotate from read access on the directory /var/cache/dnf.

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:rpm_var_cache_t:s0
Target Objects                /var/cache/dnf [ dir ]
Source                        logrotate
Source Path                   logrotate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-99.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.17.6-300.fc21.x86_64 #1 SMP Mon Dec 8
                              22:29:32 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-12-14 14:31:02 CET
Last Seen                     2014-12-14 14:31:02 CET
Local ID                      a222f873-33d0-4a5b-87b1-17a758a1eaf9

Raw Audit Messages
type=AVC msg=audit(1418563862.85:509): avc:  denied  { read } for  pid=4548 comm="logrotate" name="dnf" dev="dm-1" ino=917797 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0


Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read

Description of problem:
No intervention from my part, it seems like a regular logrotate task.
I got the notification from within Gnome Shell.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
User activity at the time of the alert: Browsing the web with Firefox, plus an active ssh session to a remote host. (a KVM guest running on the F21 host machine).  

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Showed up the next morning...

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
I upgraded to Fedora 21 workstation a few days ago. SELinux is preventing logrotate access to the folder /var/cache/dnf. I don't know much about SELinux, or this /var/cache/dnf directory. In any case, I got an SELinux Alert, and such an alert should not be generated by default.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
I was simply using Google Chrome to edit Google Docs, like I have many times before, and received notification of this

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
used fedup to install Twenty One

have logrotate run from cron

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

(In reply to Quentin Haas from comment #15)
> Description of problem:
> I was simply using Google Chrome to edit Google Docs, like I have many times
> before, and received notification of this
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-99.fc21.noarch
> 
> Additional info:
> reporter:       libreport-2.3.0
> hashmarkername: setroubleshoot
> kernel:         3.17.6-300.fc21.x86_64
> type:           libreport

To add, I also used fedup to upgrade my Fedora 20 install to Fedora 21 a couple of days ago

Description of problem:
I presume that cron is automatically running logrotate, since this error occurs every morning.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
/etc/logrotate.d/dnf contains entry for /var/cache/dnf/*/*/hawkey.log

dnf-0.6.3-2.fc21.noarch
selinux-policy-targeted-3.13.1-99.fc21.noarch

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Description of problem:
SELinux complained that logrotate was trying to access /var/cache/dnf.
I haven't touched any settings involving logrotate or this file.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

This is caused by change in dnf package (Bug 1149350), I'm reassigning this to selinux-policy to add selinux rule to fix AVC from Comment 10. If you think, the logs should not be in /var/cache/ or if you have some additional questions, please consult these with "dnf" package maintainers.

*** Bug 1173995 has been marked as a duplicate of this bug. ***

*** Bug 1173941 has been marked as a duplicate of this bug. ***

As pointed by Igor in Comment 9, dnf logrotate configuration file contains following:

/var/cache/dnf/*/*/hawkey.log {
    missingok
    notifempty
    size 30k
    yearly
    create 0600 root root
}

So it tries to rotate any hawkey.log in /var/cache/dnf subdirectories' subdirectories :).

Description of problem:
This error just pops up automatically due to background activities, not due to activity caused by users.
Logrotate wants to read cache of dnf.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

commit 8c58acae64e5f8f41d5ea01b9a11ad25e0da3802
Author: Lukas Vrabec <lvrabec>
Date:   Mon Dec 15 05:06:23 2014 -0500

    Allow logrotate to read hawkey.log in /var/cache/dnf/ BZ(1163438)

Description of problem:
Fedora 21 told me with an alert that SELinux forbade logrotate to do something.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Upgraded to F21 (nonproduct, KDE) from F20
At first boot, after some time I got this warning from selinux.
I tried "restorecon" just in case the directory was mislabeled for some reason:

# restorecon -Rv /var/cache/dnf/
#

but as you can see it did not change anything

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-302.fc21.x86_64
type:           libreport

Description of problem:
I did nothing, just has system up and running.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
I got this error without triggering anything, all I know is that the system was idle for more than an hour, with firefox and Software opened. If this keeps repeating , I would be glared to help you with.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.i686
type:           libreport

Description of problem:
No interaction needed to reproduce this bug on my system. When logrotate runs from cron, the enclosed warning appears.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21

Description of problem:
THis just occured when logrotate tried to do its think becuase of the crontab entry.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.i686
type:           libreport

Description of problem:
I was trying to fix a problem with VLC Player(RPM Fusion), I configured it so it can use a skin but it didn't work, probably an outdated skin file. I was creating/removing archives/files in the folder: /usr/share/vlc/skins2, the problem appeared during the process

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Esta alerta aparece luego de lanzar qbittorrentl, precisamente, cuando comenzó el intercambio de datos en dicho programa.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
A notification about error appeared during browsing internet with Google Chrome.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
just wait for logrotate to kick in.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Nothing done especialy.

logrotate run automatically.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

(In reply to Fedora Update System from comment #32)
> selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21.
> https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21

This fixes it for me, karma left.

(In reply to Colin J Thomson from comment #39)
> (In reply to Fedora Update System from comment #32)
> > selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21.
> > https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21
> 
> This fixes it for me, karma left.

The same for me.
Karma +1

Description of problem:
Was just installing a game called robocraft in steam

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

(In reply to Lukas Slebodnik from comment #40)
> (In reply to Colin J Thomson from comment #39)
> > (In reply to Fedora Update System from comment #32)
> > > selinux-policy-3.13.1-103.fc21 has been submitted as an update for Fedora 21.
> > > https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-103.fc21
> > 
> > This fixes it for me, karma left.
> 
> The same for me.
> Karma +1

I'll just add that I believe the same. Since restarting after install at 17:54 GMT there were no error messages from SE Linux. For one hour I restarted with a Live DVD to test something else between 21:20 and 22:20. I think the preceeding 3 hours 25 minutes gave enough time for the scheduled task to complete which has been causing the error message.

Description of problem:
dnf update

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
I did nothing.

This problem occurs on its own from time to time, I guess when logrotate tries to rotate the dnf logs...

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Description of problem:
I believe logrotate should be allowed access, as /etc/logrotate.d/dnf includes this record:

/var/cache/dnf/*/*/hawkey.log {
    missingok
    notifempty
    size 30k
    yearly
    create 0600 root root
}

so it is expected to crawl under /var/cache ...

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-302.fc21.x86_64
type:           libreport

Description of problem:
Just saw it pop up in the tray icon.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
SELinux warning produced when logrotate attempts regular rotation of logs in dnf cache directory.  This is the default configuration of logrotate and SELinux as far as I know.  

Relevant block from /etc/logrotate.d/dnf :

/var/cache/dnf/*/*/hawkey.log {
    missingok
    notifempty
    size 30k
    yearly
    create 0600 root root
}

Steps to reproduce:
- Verify that both SELinux and logrotate are installed in default configuration. (In my case, upgrade from Fedora 20.)
- Wait for logrotate to check for hawkey logs inside /var/cache/dnf dir... 

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Is this is about logrotate there is nothing that I as a user did at this time.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Didn't do anything.  Just popped up in the middle of my session.  I guess logrotate + dnf are not SELinux aware.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Happening after fedup upgrade from Fedora 20.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

I confirm comment #40 and comment #42, selinux-policy-3.13.1-103.fc21.noarch fixes the bug.

Tnx

Description of problem:
I got notified of this by SELinux Alert Browser:
logrotate wants read access in /var/cache/dnf

Happened after system update today

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
My laptop woke up from standby and I saw the SELinux Alert.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
I was using Google Chrome to listen to some music while programming in C in vim in gnome-terminal when I received a notification via the Gnome Shell that this SELinux alert occurred. I was not using dnf, nor have I used dnf. I turned my computer on not long ago and did check for updates via yum but there were none reported, with my last check yesterday. I have not encountered this issue previously, nor do I know the root cause of this SELinux alert.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Package selinux-policy-3.13.1-103.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-103.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-17044/selinux-policy-3.13.1-103.fc21
then log in and leave karma (feedback).

Description of problem:
I don't now if logrotate should get access to /var/cache/dnf actually, but I regularly get a SELinux alert since some of the latest F21 updates (a few days ago).

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
triggered by cron

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Popped up all of a sudden!
Firefox , Anjuta and file manger are opened!

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.i686
type:           libreport

Description of problem:
I just did write a job application letter in libreoffice writer, when the selinux message appeared. 

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.1-302.fc21.x86_64
type:           libreport

I am wondering why we need an SELinux policy fix here.

Should there be log files under /var/cache/dnf/* at all? 

Shouldn't the packaging policy mandate that log file be maintained in /var/log/* ?

(In reply to Subhendu Ghosh from comment #60)
> I am wondering why we need an SELinux policy fix here.
> 
> Should there be log files under /var/cache/dnf/* at all? 
>
I don't like it either.
 
> Shouldn't the packaging policy mandate that log file be maintained in
> /var/log/* ?
You can try to reopen BZ1149350. It was closed as not a bug.

It happened for me few days ago, and now with updated 'selinux-policy'

type=AVC msg=audit(1418834043.147:466): avc:  denied  { read } for  pid=3519 comm="logrotate" name="dnf" dev="dm-1" ino=2628754 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0

selinux-policy-3.13.1-103.fc21.noarch

Do I need just to relabel /var/cache/dnf? (restorecon...)

Description of problem:
Newly installed Fedora 21, no special config at all. It feels like a default policy isn't correctly configured and may be corrected to don't give new users "strange" messages.

[root@ynos ~]# rpm -qa dnf*
dnf-plugins-core-0.1.4-1.fc21.noarch
dnf-0.6.3-2.fc21.noarch
[root@ynos ~]# 
[root@ynos ~]# cat /etc/logrotate.d/dnf 
/var/log/dnf.log {
    missingok
    notifempty
    size 30k
    yearly
    create 0600 root root
}

/var/log/dnf.rpm.log {
    missingok
    notifempty
    size 30k
    yearly
    create 0600 root root
}

/var/log/dnf.plugin.log {
    missingok
    notifempty
    size 30k
    yearly
    create 0600 root root
}

/var/cache/dnf/*/*/hawkey.log {
    missingok
    notifempty
    size 30k
    yearly
    create 0600 root root
}


Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:rpm_var_cache_t:s0
Target Objects                /var/cache/dnf [ dir ]
Source                        logrotate
Source Path                   logrotate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-99.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux ynos.lagren.com 3.17.6-300.fc21.x86_64 #1
                              SMP Mon Dec 8 22:29:32 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-12-17 21:27:02 CET
Last Seen                     2014-12-17 21:27:02 CET
Local ID                      925aa451-506e-4416-88df-8fa5987e0ff0

Raw Audit Messages
type=AVC msg=audit(1418848022.525:452): avc:  denied  { read } for  pid=3048 comm="logrotate" name="dnf" dev="dm-1" ino=667428 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0


Hash: logrotate,logrotate_t,rpm_var_cache_t,dir,read


/Tomas

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
(Not sure how to reproduce this.  Came up with the log rotate action.)

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

selinux-policy-3.13.1-103.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Description of problem:
logrotate runs regularly in the cron.  It needs access to various files and directories to clean up old logs.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Description of problem:
This happens after a "dnf update" operation. Not sure if SElinux should allow this interaction.

Please review.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
I have no idea, what caused this, the notification just appeared out of nowhere.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Program executed automatically as I was away from my console. But this has never happened before. I recently upgraded from F20 -> F21.

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Selinux denials in my happy little Fedora 21 world.

Looks to be logrotate that misses something wrt. dnf

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Fixed with latest updates. Thank you.

Description of problem:
I upgraded from F20 using fedup and --product=nonproduct and used a bit dnf while in Fedora 20 (never used it in F21)

This logrotate is configured by the distribution, so I believe that this SELinux error should not happen. (I see it almost everyday)

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

restorecon -R -v /var/cache

Should clear it up.

Description of problem:
It just popped up.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
i´m unaware of the trigger, this mostly pops up after a few minutes logging into the system.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Logrotate runs in the cron.  It will also trigger on reboot (anacron).  Therefore you'll see the warning shortly after boot/login.

You can run it manually using:
sudo logrotate -f /etc/logrotate.conf -d

That should trigger your warning.  If it doesn't trigger, try without -d:
sudo logrotate -f /etc/logrotate.conf

and, as Daniel said, try:
restorecon -R -v /var/cache

then try logrotate again.

Description of problem:
No action on my behalf triggered this bug, it's a default fedora chron execution.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.4-301.fc21.x86_64
type:           libreport

Description of problem:
I assume logrotate started as a scheduled task in the background.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
Upgrade to Fedora 21 from Fedora 20 and SELinux will complain that logrotate attempt sto access files in /var/cache/dnf.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
AVZ happened likely when updating. However, the policy appears broken.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
No tengo idea de como sucedio este problema, solamente estaba navegando en mozilla y aparecio el aviso del error.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.i686
type:           libreport

Ran sudo restorecon -R -v /var/cache. Then, sudo logrotate -f /etc/logrotate.conf -d with or without -d did not produce the problem. Appears to be fixed now. Thank you all.

Description of problem:
This problem occurred after an upgrade to Fedora 21
After the upgrade is not possible to update or uninstall applications

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.i686+PAE
type:           libreport

Description of problem:
Login to gnome

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Description of problem:
I don't know.  Am running a yumex update right now and it happens to be working on
selinux policy targeted

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.i686
type:           libreport

Please reopen the bug. It happened to me again with
selinux-policy-3.13.1-103.fc21.noarch
kernel-3.17.7-300.fc21.x86_64
logrotate-3.8.7-4.fc21.x86_64

-----------------------------------

SELinux is preventing logrotate from read access on the directory /var/cache/dnf.

*****  Plugin restorecon (94.8 confidence) suggests   ************************

If you want to fix the label. 
/var/cache/dnf default label should be rpm_var_cache_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/cache/dnf

*****  Plugin catchall_labels (5.21 confidence) suggests   *******************

If you want to allow logrotate to have read access on the dnf directory
Then you need to change the label on /var/cache/dnf
Do
# semanage fcontext -a -t FILE_TYPE '/var/cache/dnf'
where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_unit_file_t, NetworkManager_var_run_t, abrt_unit_file_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, accountsd_unit_file_t, acct_data_t, admin_home_t, afs_logfile_t, aiccu_var_run_t, aide_log_t, ajaxterm_var_run_t, alsa_unit_file_t, alsa_var_run_t, amanda_log_t, amanda_unit_file_t, antivirus_log_t, antivirus_unit_file_t, antivirus_var_run_t, apcupsd_log_t, apcupsd_unit_file_t, apcupsd_var_run_t, apmd_log_t, apmd_unit_file_t, apmd_var_run_t, arpwatch_unit_file_t, arpwatch_var_run_t, asterisk_log_t, asterisk_var_run_t, audisp_var_run_t, auditd_unit_file_t, auditd_var_run_t, auth_cache_t, automount_unit_file_t, automount_var_run_t, avahi_unit_file_t, avahi_var_run_t, bacula_log_t, bacula_var_run_t, bcfg2_unit_file_t, bcfg2_var_run_t, bin_t, bitlbee_log_t, bitlbee_var_run_t, blktap_var_run_t, blueman_var_run_t, bluetooth_unit_file_t, bluetooth_var_run_t, boinc_log_t, boinc_unit_file_t, boot_t, bootloader_var_run_t, brltty_unit_file_t, brltty_var_run_t, bumblebee_unit_file_t, bumblebee_var_run_t, cachefilesd_var_run_t, calamaris_log_t, callweaver_log_t, callweaver_var_run_t, canna_log_t, canna_var_run_t, cardmgr_var_run_t, ccs_var_lib_t, ccs_var_log_t, ccs_var_run_t, cert_t, certmaster_var_log_t, certmaster_var_run_t, certmonger_var_run_t, cfengine_log_t, cgred_log_t, cgred_var_run_t, cgroup_t, checkpc_log_t, chronyd_unit_file_t, chronyd_var_log_t, chronyd_var_run_t, cinder_api_unit_file_t, cinder_backup_unit_file_t, cinder_log_t, cinder_scheduler_unit_file_t, cinder_var_run_t, cinder_volume_unit_file_t, clogd_var_run_t, cloud_init_unit_file_t, cloud_log_t, cluster_unit_file_t, cluster_var_log_t, cluster_var_run_t, clvmd_var_run_t, cmirrord_var_run_t, cobbler_var_log_t, cockpit_unit_file_t, collectd_unit_file_t, collectd_var_run_t, colord_unit_file_t, comsat_var_run_t, condor_log_t, condor_unit_file_t, condor_var_run_t, conman_log_t, conman_unit_file_t, conman_var_run_t, consolekit_log_t, consolekit_unit_file_t, consolekit_var_run_t, couchdb_log_t, couchdb_unit_file_t, couchdb_var_run_t, courier_var_run_t, cpuplug_var_run_t, cpuspeed_var_run_t, cron_log_t, cron_var_run_t, crond_unit_file_t, crond_var_run_t, ctdbd_log_t, ctdbd_var_run_t, cupsd_config_var_run_t, cupsd_log_t, cupsd_lpd_var_run_t, cupsd_unit_file_t, cupsd_var_run_t, cvs_var_run_t, cyphesis_log_t, cyphesis_var_run_t, cyrus_var_run_t, dbskkd_var_run_t, dbusd_etc_t, dcc_var_run_t, dccd_var_run_t, dccifd_var_run_t, dccm_var_run_t, dcerpcd_var_run_t, ddclient_log_t, ddclient_var_run_t, deltacloudd_log_t, deltacloudd_var_run_t, denyhosts_var_log_t, device_t, devicekit_var_log_t, devicekit_var_run_t, dhcpc_var_run_t, dhcpd_unit_file_t, dhcpd_var_run_t, dictd_var_run_t, dirsrv_snmp_var_log_t, dirsrv_snmp_var_run_t, dirsrv_var_log_t, dirsrv_var_run_t, dkim_milter_data_t, dlm_controld_var_log_t, dlm_controld_var_run_t, dnsmasq_unit_file_t, dnsmasq_var_log_t, dnsmasq_var_run_t, dnssec_trigger_var_run_t, docker_log_t, docker_unit_file_t, docker_var_run_t, dovecot_var_log_t, dovecot_var_run_t, dspam_log_t, dspam_var_run_t, entropyd_var_run_t, etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_log_t, evtchnd_var_run_t, exim_log_t, exim_var_run_t, fail2ban_log_t, fail2ban_var_run_t, faillog_t, fcoemon_var_run_t, fenced_var_log_t, fenced_var_run_t, fetchmail_log_t, fetchmail_var_run_t, file_context_t, fingerd_log_t, fingerd_var_run_t, firewalld_unit_file_t, firewalld_var_log_t, firewalld_var_run_t, foghorn_var_log_t, foghorn_var_run_t, fonts_cache_t, fonts_t, freeipmi_bmc_watchdog_unit_file_t, freeipmi_bmc_watchdog_var_run_t, freeipmi_ipmidetectd_unit_file_t, freeipmi_ipmidetectd_var_run_t, freeipmi_ipmiseld_unit_file_t, freeipmi_ipmiseld_var_run_t, fsadm_log_t, fsadm_var_run_t, fsdaemon_var_run_t, ftpd_unit_file_t, ftpd_var_run_t, games_srv_var_run_t, gdomap_var_run_t, gear_log_t, gear_unit_file_t, gear_var_run_t, getty_log_t, getty_unit_file_t, getty_var_run_t, gfs_controld_var_log_t, gfs_controld_var_run_t, glance_api_unit_file_t, glance_log_t, glance_registry_unit_file_t, glance_scrubber_unit_file_t, glance_var_run_t, glusterd_log_t, glusterd_var_run_t, gpm_var_run_t, gpsd_var_run_t, greylist_milter_data_t, groupd_var_log_t, groupd_var_run_t, gssproxy_unit_file_t, gssproxy_var_run_t, haproxy_unit_file_t, haproxy_var_log_t, haproxy_var_run_t, httpd_config_t, httpd_log_t, httpd_sys_rw_content_t, httpd_unit_file_t, httpd_var_run_t, hwdata_t, hypervkvp_unit_file_t, hypervvssd_unit_file_t, icecast_log_t, icecast_var_run_t, ifconfig_var_run_t, inetd_child_var_run_t, inetd_log_t, inetd_var_run_t, init_var_run_t, initrc_var_log_t, initrc_var_run_t, innd_log_t, innd_var_run_t, insmod_var_run_t, iodined_unit_file_t, ipa_otpd_unit_file_t, ipsec_log_t, ipsec_mgmt_unit_file_t, ipsec_mgmt_var_run_t, ipsec_var_run_t, iptables_unit_file_t, iptables_var_run_t, irqbalance_var_run_t, iscsi_log_t, iscsi_unit_file_t, iscsi_var_run_t, isnsd_var_run_t, iwhd_log_t, iwhd_var_run_t, jetty_log_t, jetty_var_run_t, jockey_var_log_t, kadmind_log_t, kadmind_var_run_t, kdump_unit_file_t, keepalived_unit_file_t, keepalived_var_run_t, keystone_log_t, keystone_unit_file_t, keystone_var_run_t, kismet_log_t, kismet_var_run_t, klogd_var_run_t, kmscon_unit_file_t, krb5kdc_log_t, krb5kdc_var_run_t, ksmtuned_log_t, ksmtuned_unit_file_t, ksmtuned_var_run_t, ktalkd_log_t, ktalkd_unit_file_t, l2tpd_var_run_t, lastlog_t, lib_t, lircd_var_run_t, lldpad_var_run_t, locale_t, locate_var_run_t, logrotate_tmp_t, logrotate_var_lib_t, logwatch_var_run_t, lpd_var_run_t, lsassd_var_run_t, lsmd_unit_file_t, lsmd_var_run_t, lvm_unit_file_t, lvm_var_run_t, lwiod_var_run_t, lwregd_var_run_t, lwsmd_var_run_t, mailman_log_t, mailman_var_run_t, man_cache_t, man_t, mcelog_log_t, mcelog_var_run_t, mdadm_unit_file_t, mdadm_var_run_t, memcached_var_run_t, minidlna_log_t, minidlna_var_run_t, minissdpd_var_run_t, mip6d_unit_file_t, mirrormanager_log_t, mirrormanager_var_run_t, mock_var_run_t, modemmanager_unit_file_t, mon_statd_var_run_t, mongod_log_t, mongod_var_run_t, motion_log_t, motion_unit_file_t, motion_var_run_t, mount_var_run_t, mpd_log_t, mpd_var_run_t, mrtg_log_t, mrtg_var_run_t, mscan_var_run_t, munin_etc_t, munin_log_t, munin_var_run_t, mysqld_etc_t, mysqld_log_t, mysqld_unit_file_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, mythtv_var_log_t, naemon_log_t, naemon_var_run_t, nagios_log_t, nagios_var_run_t, named_cache_t, named_log_t, named_unit_file_t, named_var_run_t, net_conf_t, netlabel_mgmt_unit_file_t, netlogond_var_run_t, neutron_log_t, neutron_unit_file_t, neutron_var_run_t, nfsd_unit_file_t, ninfod_run_t, ninfod_unit_file_t, nis_unit_file_t, nmbd_var_run_t, nova_ajax_unit_file_t, nova_api_unit_file_t, nova_cert_unit_file_t, nova_compute_unit_file_t, nova_conductor_unit_file_t, nova_console_unit_file_t, nova_direct_unit_file_t, nova_log_t, nova_network_unit_file_t, nova_objectstore_unit_file_t, nova_scheduler_unit_file_t, nova_var_run_t, nova_vncproxy_unit_file_t, nova_volume_unit_file_t, nrpe_var_run_t, nscd_log_t, nscd_unit_file_t, nscd_var_run_t, nsd_var_run_t, nslcd_var_run_t, ntop_var_run_t, ntpd_log_t, ntpd_unit_file_t, ntpd_var_run_t, numad_unit_file_t, numad_var_log_t, numad_var_run_t, nut_unit_file_t, nut_var_run_t, nx_server_var_run_t, oddjob_unit_file_t, oddjob_var_run_t, openct_var_run_t, openhpid_var_run_t, openshift_log_t, openshift_var_lib_t, openshift_var_run_t, opensm_log_t, opensm_unit_file_t, openvpn_status_t, openvpn_var_log_t, openvpn_var_run_t, openvswitch_log_t, openvswitch_unit_file_t, openvswitch_var_run_t, openwsman_log_t, openwsman_run_t, openwsman_unit_file_t, osad_log_t, osad_var_run_t, pads_var_run_t, pam_var_console_t, pam_var_run_t, passenger_log_t, passenger_var_run_t, pcp_log_t, pcp_var_run_t, pcscd_var_run_t, pegasus_openlmi_storage_var_run_t, pegasus_var_run_t, pesign_unit_file_t, pesign_var_run_t, phc2sys_unit_file_t, piranha_fos_var_run_t, piranha_log_t, piranha_lvs_var_run_t, piranha_pulse_var_run_t, piranha_web_var_run_t, pkcs_slotd_var_run_t, pki_ra_log_t, pki_ra_var_run_t, pki_tomcat_log_t, pki_tomcat_unit_file_t, pki_tomcat_var_run_t, pki_tps_log_t, pki_tps_var_run_t, plymouthd_var_log_t, plymouthd_var_run_t, policykit_var_run_t, polipo_log_t, polipo_pid_t, polipo_unit_file_t, portmap_var_run_t, portreserve_var_run_t, postfix_postdrop_t, postfix_var_run_t, postgresql_log_t, postgresql_var_run_t, postgrey_var_run_t, power_unit_file_t, pppd_log_t, pppd_unit_file_t, pppd_var_run_t, pptp_log_t, pptp_var_run_t, prelink_log_t, prelude_audisp_var_run_t, prelude_lml_var_run_t, prelude_log_t, prelude_var_run_t, privoxy_log_t, privoxy_var_run_t, proc_t, procmail_log_t, prosody_unit_file_t, prosody_var_run_t, psad_var_log_t, psad_var_run_t, ptal_var_run_t, ptp4l_unit_file_t, pulseaudio_var_run_t, puppet_log_t, puppet_var_run_t, pwauth_var_run_t, pyicqt_log_t, pyicqt_var_run_t, qdiskd_var_log_t, qdiskd_var_run_t, qemu_var_run_t, qpidd_var_run_t, quota_nld_var_run_t, rabbitmq_unit_file_t, rabbitmq_var_log_t, rabbitmq_var_run_t, radiusd_log_t, radiusd_unit_file_t, radiusd_var_run_t, radvd_var_run_t, rasdaemon_unit_file_t, rdisc_unit_file_t, readahead_var_run_t, redis_log_t, redis_unit_file_t, redis_var_run_t, regex_milter_data_t, restorecond_var_run_t, rhev_agentd_log_t, rhev_agentd_unit_file_t, rhev_agentd_var_run_t, rhnsd_unit_file_t, rhnsd_var_run_t, rhsmcertd_log_t, rhsmcertd_var_run_t, ricci_modcluster_var_log_t, ricci_modcluster_var_run_t, ricci_var_log_t, ricci_var_run_t, rlogind_var_run_t, rngd_unit_file_t, rngd_var_run_t, rolekit_unit_file_t, root_t, roundup_var_run_t, rpcbind_var_run_t, rpcd_unit_file_t, rpcd_var_run_t, rpm_log_t, rpm_var_cache_t, rpm_var_run_t, rsync_log_t, rsync_var_run_t, rtas_errd_log_t, rtas_errd_unit_file_t, rtas_errd_var_run_t, samba_etc_t, samba_log_t, samba_unit_file_t, sanlock_log_t, sanlock_unit_file_t, sanlock_var_run_t, saslauthd_var_run_t, sblim_var_run_t, screen_var_run_t, sectool_var_log_t, security_t, sendmail_log_t, sendmail_var_run_t, sensord_log_t, sensord_unit_file_t, sensord_var_run_t, setrans_var_run_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t, shell_exec_t, shorewall_log_t, slapd_log_t, slapd_unit_file_t, slapd_var_run_t, slpd_log_t, slpd_var_run_t, smbd_var_run_t, smokeping_var_run_t, smsd_log_t, smsd_var_run_t, snapperd_log_t, snmpd_log_t, snmpd_var_run_t, snort_log_t, snort_var_run_t, sosreport_var_run_t, soundd_var_run_t, spamass_milter_data_t, spamd_log_t, spamd_var_run_t, speech-dispatcher_log_t, speech-dispatcher_unit_file_t, squid_log_t, squid_var_run_t, src_t, srvsvcd_var_run_t, sshd_keygen_unit_file_t, sshd_unit_file_t, sshd_var_run_t, sssd_public_t, sssd_unit_file_t, sssd_var_log_t, sssd_var_run_t, stapserver_log_t, stapserver_var_run_t, stunnel_var_run_t, svnserve_unit_file_t, svnserve_var_run_t, swat_var_run_t, swift_unit_file_t, swift_var_run_t, sysfs_t, syslogd_var_run_t, sysstat_log_t, system_conf_t, system_cronjob_var_run_t, system_db_t, system_dbusd_var_run_t, systemd_logind_inhibit_var_run_t, systemd_logind_sessions_t, systemd_logind_var_run_t, systemd_networkd_unit_file_t, systemd_networkd_var_run_t, systemd_passwd_var_run_t, systemd_runtime_unit_file_t, systemd_unit_file_t, systemd_vconsole_unit_file_t, telnetd_var_run_t, textrel_shlib_t, tftpd_var_run_t, tgtd_var_run_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_var_run_t, thin_log_t, thin_var_run_t, timemaster_unit_file_t, timemaster_var_run_t, tmp_t, tomcat_log_t, tomcat_unit_file_t, tomcat_var_run_t, tor_unit_file_t, tor_var_log_t, tor_var_run_t, tuned_log_t, tuned_var_run_t, udev_var_run_t, ulogd_var_log_t, uml_switch_var_run_t, usbmuxd_unit_file_t, usbmuxd_var_run_t, user_home_dir_t, useradd_var_run_t, usr_t, uucpd_log_t, uucpd_var_run_t, uuidd_var_run_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_spool_t, varnishd_var_run_t, varnishlog_log_t, varnishlog_var_run_t, vdagent_log_t, vdagent_var_run_t, vhostmd_var_run_t, virt_cache_t, virt_log_t, virt_lxc_var_run_t, virt_qemu_ga_log_t, virt_qemu_ga_var_run_t, virt_var_run_t, virtd_unit_file_t, vmtools_unit_file_t, vmware_host_pid_t, vmware_log_t, vmware_pid_t, vnstatd_var_run_t, vpnc_var_run_t, watchdog_log_t, watchdog_var_run_t, wdmd_var_run_t, winbind_log_t, winbind_var_run_t, wtmp_t, xdm_log_t, xdm_var_run_t, xenconsoled_var_run_t, xend_var_log_t, xend_var_run_t, xenstored_var_log_t, xenstored_var_run_t, xferlog_t, xserver_log_t, xserver_var_run_t, ypbind_unit_file_t, ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t, ypxfr_var_run_t, zabbix_log_t, zabbix_var_run_t, zarafa_deliver_log_t, zarafa_deliver_var_run_t, zarafa_gateway_log_t, zarafa_gateway_var_run_t, zarafa_ical_log_t, zarafa_ical_var_run_t, zarafa_indexer_log_t, zarafa_indexer_var_run_t, zarafa_monitor_log_t, zarafa_monitor_var_run_t, zarafa_server_log_t, zarafa_server_var_run_t, zarafa_spooler_log_t, zarafa_spooler_var_run_t, zebra_log_t, zebra_unit_file_t, zebra_var_run_t, zoneminder_log_t, zoneminder_unit_file_t, zoneminder_var_run_t. 
Then execute: 
restorecon -v '/var/cache/dnf'


*****  Plugin catchall (1.44 confidence) suggests   **************************

If you believe that logrotate should be allowed read access on the dnf directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep logrotate /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                /var/cache/dnf [ dir ]
Source                        logrotate
Source Path                   logrotate
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.17.7-300.fc21.x86_64
                              #1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64
Alert Count                   5
First Seen                    2014-12-19 20:06:01 CET
Last Seen                     2014-12-23 11:09:02 CET
Local ID                      17c3f239-ca34-43a5-bf7b-007759398fbf

Raw Audit Messages
type=AVC msg=audit(1419329342.120:781): avc:  denied  { read } for  pid=8142 comm="logrotate" name="dnf" dev="sda6" ino=1181107 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=dir permissive=0


Hash: logrotate,logrotate_t,var_t,dir,read

The fix has not made it into a Fedora 21 package yet.

Lucas can you get 

d4d825f5a15b46014f482ce7fede179b10af92e1
b955f9ec993f38d61dc42048d61ad425f7ea230a
and
50113238bb5a4fb13fd9f7559b348203dc7327ea
back ported into f21.

Lucas also add a restorecon -R -v /var/cache/dnf to the post install script.

Description of problem:
I ran `touch /.autorelable` then rebooted several hours before this error happened.  The machine was left unattended for some time after the reboot, but auto-login is enabled.  Error was displayed on the lock screen when I returned to the machine.  

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

SELinux is no longer preventing logrotate from read access on the directory /var/cache/dnf after I enabled repo updates-testing and updated selinux-policy-3.13.1-103.fc21. Now when I manually start logrotate, the output is as following;
rotating pattern: /var/cache/dnf/*/*/hawkey.log  forced from command line (4 rotations)
empty log files are not rotated, old logs are removed
considering log /var/cache/dnf/x86_64/21/hawkey.log
  log needs rotating
rotating log /var/cache/dnf/x86_64/21/hawkey.log, log->rotateCount is 4
dateext suffix '-20141229'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
glob finding old rotated logs failed
fscreate context set to system_u:object_r:rpm_var_cache_t:s0
renaming /var/cache/dnf/x86_64/21/hawkey.log to /var/cache/dnf/x86_64/21/hawkey.log-20141229
creating new /var/cache/dnf/x86_64/21/hawkey.log mode = 0600 uid = 0 gid = 0

I haven't seen any other issues with this testing SELinux update package yet.

Description of problem:
Al parecer al intentar abrir un archivo .log

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Today I got warnings from the logrotate execution:

error: error opening /var/cache/dnf/x86_64/21/hawkey.log: Permission denied

The configuration says "yearly", so I guess that is why I haven't got the message until today.

However, I don't see any AVCs logged at the time.  And DAC allows everyone to read the file.  Could there be something dontaudited that confuses things?

This is with selinux-policy-targeted-3.13.1-103.fc21 plus a local module that does

allow logrotate_t rpm_var_cache_t:dir read;

I'll experiment a bit and see if I can figure out what I need to add to my local policy, but the absence of reported AVCs makes it a bit more complicated.

Why is hawkey.log under /var/cach/dnf?  Shouldn't this  be in /var/log?

That was my initial reaction too, but Jan Silhan explained why it is the way it is in bug 1149350, comment 1.

dnf log files should be in /var/log/dnf/

Should I report the logs in the wrong place as a separate bug? If they need to be separate they can be in /var/log/dnf/{subdir} and the subdir can be based on time, PID, whatever is needful, I see the reason they are separated, but still counld be in the right place. And if /var/log/dnf must be a file, then /var/log/dnf-whatever directory could be used.

People do things to preserve /var/log and shouldn't have to take special care with /var/lib just because someone wanted to put a log there.

(In reply to Bill Davidsen from comment #97)
> Should I report the logs in the wrong place as a separate bug?

No need yet, I'm reassigning this bug to my team for further evaluation.

In case anyone more than me wants log rotation right now, I believe these SELinux rules are enough.  Probably they allow too much.  But it's just an interim solution anyway, until we have a permanent solution.

rw_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t)
rename_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t)
create_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t)
setattr_files_pattern(logrotate_t, rpm_var_cache_t, rpm_var_cache_t)

I changed hawkey C API to accept custom path to log file so dnf will set it as `/var/log/hawkey.log`.

PR here: https://github.com/rpm-software-management/hawkey/pull/77

*** Bug 1175434 has been marked as a duplicate of this bug. ***

Description of problem:
From a basic Workstation install with updates, it looks like this happened the next time logrotate ran after those updates.  It looks like dnf keeps a hawkey.log file in /var/cache/dnf and logrotate is trying to rotate it.

Version-Release number of selected component:
selinux-policy-3.13.1-99.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.6-300.fc21.x86_64
type:           libreport

Sorry for delay. I added fixes to F21.

*** Bug 1178003 has been marked as a duplicate of this bug. ***

Could someone close this bug?
I cannot see this bug anymore.