Page 1 of 1

CSF + CentOS 7 + SELinux logrotate permission denied

Posted: 28 Mar 2017, 14:32
by ninereeds
Receiving permissions error via CRON on daily basis:

Code: Select all

/etc/cron.daily/logrotate:

error: failed to open config file lfd: Permission denied
error: found error in file lfd, skipping
setroubleshoot reports:

Code: Select all

SELinux is preventing /usr/sbin/logrotate from read access on the file lfd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that logrotate should be allowed read access on the lfd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'logrotate' --raw | audit2allow -M my-logrotate
# semodule -i my-logrotate.pp


Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                lfd [ file ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           logrotate-3.8.6-12.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.10.0-514.el7.x86_64
                              #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2017-03-17 03:37:01 EDT
Last Seen                     2017-03-17 03:37:01 EDT
Local ID                      40b8e0a2-cf5c-430b-b90f-10f3c0ea8ba7

Raw Audit Messages
type=AVC msg=audit(1489736221.254:402): avc:  denied  { read } for  pid=21927 comm="logrotate" name="lfd" dev="dm-0" ino=4265983 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file


type=SYSCALL msg=audit(1489736221.254:402): arch=x86_64 syscall=open success=no exit=EACCES a0=cedc00 a1=0 a2=0 a3=2 items=0 ppid=21925 pid=21927 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Hash: logrotate,logrotate_t,admin_home_t,file,read
Noticed that security context appears to be off for /etc/logrotate.d/lfd :

Code: Select all

# ls -lZ /etc/logrotate.d
-rw-r--r--. root root system_u:object_r:etc_t:s0       chrony
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 lfd
-rw-r--r--. root root system_u:object_r:etc_t:s0       ppp
-rw-r--r--. root root system_u:object_r:etc_t:s0       syslog
-rw-r--r--. root root system_u:object_r:etc_t:s0       wpa_supplicant
-rw-r--r--. root root system_u:object_r:etc_t:s0       yum
Am able to correct problem by creating local security policy -or- simply adjusting SELinux context:

Code: Select all

# chcon -u system_u -r object_r -t etc_t /etc/logrotate.d/lfd

Re: CSF + CentOS 7 + SELinux logrotate permission denied

Posted: 14 Apr 2017, 17:40
by ForumAdmin
This has been addressed for new installations in v10.06:
https://blog.configserver.com/