CSF + CentOS 7 + SELinux logrotate permission denied

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
ninereeds
Junior Member
Posts: 1
Joined: 28 Mar 2017, 14:20

CSF + CentOS 7 + SELinux logrotate permission denied

Post by ninereeds »

Receiving permissions error via CRON on daily basis:

Code: Select all

/etc/cron.daily/logrotate:

error: failed to open config file lfd: Permission denied
error: found error in file lfd, skipping
setroubleshoot reports:

Code: Select all

SELinux is preventing /usr/sbin/logrotate from read access on the file lfd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that logrotate should be allowed read access on the lfd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate
# semodule -i my-logrotate.pp


Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                lfd [ file ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           logrotate-3.8.6-12.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.10.0-514.el7.x86_64
                              #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2017-03-17 03:37:01 EDT
Last Seen                     2017-03-17 03:37:01 EDT
Local ID                      40b8e0a2-cf5c-430b-b90f-10f3c0ea8ba7

Raw Audit Messages
type=AVC msg=audit(1489736221.254:402): avc:  denied  { read } for  pid=21927 comm="logrotate" name="lfd" dev="dm-0" ino=4265983 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file


type=SYSCALL msg=audit(1489736221.254:402): arch=x86_64 syscall=open success=no exit=EACCES a0=cedc00 a1=0 a2=0 a3=2 items=0 ppid=21925 pid=21927 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Hash: logrotate,logrotate_t,admin_home_t,file,read
Noticed that security context appears to be off for /etc/logrotate.d/lfd :

Code: Select all

# ls -lZ /etc/logrotate.d
-rw-r--r--. root root system_u:object_r:etc_t:s0       chrony
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 lfd
-rw-r--r--. root root system_u:object_r:etc_t:s0       ppp
-rw-r--r--. root root system_u:object_r:etc_t:s0       syslog
-rw-r--r--. root root system_u:object_r:etc_t:s0       wpa_supplicant
-rw-r--r--. root root system_u:object_r:etc_t:s0       yum
Am able to correct problem by creating local security policy -or- simply adjusting SELinux context:

Code: Select all

# chcon -u system_u -r object_r -t etc_t /etc/logrotate.d/lfd
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: CSF + CentOS 7 + SELinux logrotate permission denied

Post by ForumAdmin »

This has been addressed for new installations in v10.06:
https://blog.configserver.com/
Post Reply