CSF + CentOS 7 + SELinux logrotate permission denied
Posted: 28 Mar 2017, 14:32
Receiving permissions error via CRON on daily basis:
setroubleshoot reports:
Noticed that security context appears to be off for /etc/logrotate.d/lfd :
Am able to correct problem by creating local security policy -or- simply adjusting SELinux context:
Code: Select all
/etc/cron.daily/logrotate:
error: failed to open config file lfd: Permission denied
error: found error in file lfd, skipping
Code: Select all
SELinux is preventing /usr/sbin/logrotate from read access on the file lfd.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that logrotate should be allowed read access on the lfd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate
# semodule -i my-logrotate.pp
Additional Information:
Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:admin_home_t:s0
Target Objects lfd [ file ]
Source logrotate
Source Path /usr/sbin/logrotate
Port <Unknown>
Host localhost.localdomain
Source RPM Packages logrotate-3.8.6-12.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.10.0-514.el7.x86_64
#1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2017-03-17 03:37:01 EDT
Last Seen 2017-03-17 03:37:01 EDT
Local ID 40b8e0a2-cf5c-430b-b90f-10f3c0ea8ba7
Raw Audit Messages
type=AVC msg=audit(1489736221.254:402): avc: denied { read } for pid=21927 comm="logrotate" name="lfd" dev="dm-0" ino=4265983 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1489736221.254:402): arch=x86_64 syscall=open success=no exit=EACCES a0=cedc00 a1=0 a2=0 a3=2 items=0 ppid=21925 pid=21927 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Hash: logrotate,logrotate_t,admin_home_t,file,read
Code: Select all
# ls -lZ /etc/logrotate.d
-rw-r--r--. root root system_u:object_r:etc_t:s0 chrony
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 lfd
-rw-r--r--. root root system_u:object_r:etc_t:s0 ppp
-rw-r--r--. root root system_u:object_r:etc_t:s0 syslog
-rw-r--r--. root root system_u:object_r:etc_t:s0 wpa_supplicant
-rw-r--r--. root root system_u:object_r:etc_t:s0 yum
Code: Select all
# chcon -u system_u -r object_r -t etc_t /etc/logrotate.d/lfd