Problems with logwatch, sagator and zope?

Dan Thurman dant at cdkkt.com
Tue Jul 15 14:35:55 UTC 2008 

My logs are reporting many errors, one which appears here:
Jul 14 20:15:41 bronze setroubleshoot: SELinux is preventing 0logwatch 
(logwatch_t) "read" to sagator (var_log_t). For complete SELinux 
messages. run sealert -l 623798e3-17ec-4751-ae16-e2d92c397e72

.... And more here:
Jul 14 20:20:06 bronze logrotate: ALERT exited abnormally with [1]
Jul 14 20:22:02 bronze setroubleshoot: SELinux is preventing updatedb 
(locate_t) "getattr" to /usr/share/sagator (sagator_t). For complete 
SELinux messages. run sealert -l 54affa1b-dd31-4c24-b021-3e5ce8da3fe4

Jul 14 20:27:49 bronze setroubleshoot: SELinux is preventing logrotate 
(logrotate_t) "getattr" to /var/lib/zope/etc/logrotate.conf (var_lib_t). 
For complete SELinux messages. run sealert -l 
0851295f-58e7-43d8-940c-614514dcfdad

=================================================================
# sealert -l 623798e3-17ec-4751-ae16-e2d92c397e72
==========================================
Summary:

SELinux is preventing 0logwatch (logwatch_t) "read" to sagator (var_log_t).

Detailed Description:

SELinux denied access requested by 0logwatch. It is not expected that this
access is required by 0logwatch and this access may signal an intrusion 
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to 
restore
the default system file context for sagator,

restorecon -v 'sagator'

If this does not work, there is currently no automatic way to allow this 
access.
Instead, you can generate a local policy module to allow this access - 
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can 
disable
SELinux protection altogether. Disabling SELinux protection is not 
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:logwatch_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                sagator [ lnk_file ]
Source                        0logwatch
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          bronze.cdkkt.com
Source RPM Packages           perl-5.10.0-30.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-74.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     bronze.cdkkt.com
Platform                      Linux bronze.cdkkt.com 
2.6.25.9-76.fc9.i686 #1 SMP
                              Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count                   8
First Seen                    Mon Jul 14 20:15:41 2008
Last Seen                     Mon Jul 14 20:15:41 2008
Local ID                      623798e3-17ec-4751-ae16-e2d92c397e72
Line Numbers                  

Raw Audit Messages            

host=bronze.cdkkt.com type=AVC msg=audit(1216091741.414:1543): avc:  
denied  { read } for  pid=19074 comm="0logwatch" name="sagator" dev=sda6 
ino=86871 scontext=system_u:system_r:logwatch_t:s0 
tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file

host=bronze.cdkkt.com type=SYSCALL msg=audit(1216091741.414:1543): 
arch=40000003 syscall=5 success=no exit=-13 a0=bf87c1c8 a1=98800 
a2=8a67e30 a3=bf87c1c8 items=0 ppid=15038 pid=19074 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
ses=4294967295 comm="0logwatch" exe="/usr/bin/perl" 
subj=system_u:system_r:logwatch_t:s0 key=(null)

=================================================================
# sealert -l 0851295f-58e7-43d8-940c-614514dcfdad
# ls -lZ /var/lib/zope/etc/logrotate.conf
-rw-r--r--  root zope system_u:object_r:var_lib_t:s0   
/var/lib/zope/etc/logrotate.conf
==========================================
Summary:

SELinux is preventing logrotate (logrotate_t) "getattr" to
/var/lib/zope/etc/logrotate.conf (var_lib_t).

Detailed Description:

SELinux denied access requested by logrotate. It is not expected that this
access is required by logrotate and this access may signal an intrusion 
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to 
restore
the default system file context for /var/lib/zope/etc/logrotate.conf,

restorecon -v '/var/lib/zope/etc/logrotate.conf'

If this does not work, there is currently no automatic way to allow this 
access.
Instead, you can generate a local policy module to allow this access - 
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can 
disable
SELinux protection altogether. Disabling SELinux protection is not 
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:logrotate_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/zope/etc/logrotate.conf [ file ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          bronze.cdkkt.com
Source RPM Packages           logrotate-3.7.6-5.fc9
Target RPM Packages           compat-zope-2.10.5-3.lvn9
Policy RPM                    selinux-policy-3.3.1-74.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     bronze.cdkkt.com
Platform                      Linux bronze.cdkkt.com 
2.6.25.9-76.fc9.i686 #1 SMP
                              Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Mon Jul 14 20:27:49 2008
Last Seen                     Mon Jul 14 20:27:49 2008
Local ID                      0851295f-58e7-43d8-940c-614514dcfdad
Line Numbers                 

Raw Audit Messages           

host=bronze.cdkkt.com type=AVC msg=audit(1216092469.664:1690): avc:  
denied  { getattr } for  pid=6689 comm="logrotate" 
path="/var/lib/zope/etc/logrotate.conf" dev=sda6 ino=2220768 
scontext=system_u:system_r:logrotate_t:s0 
tcontext=system_u:object_r:var_lib_t:s0 tclass=file

host=bronze.cdkkt.com type=SYSCALL msg=audit(1216092469.664:1690): 
arch=40000003 syscall=195 success=no exit=-13 a0=bfb60ec5 a1=bfb5fa2c 
a2=bcbff4 a3=bfb5fac4 items=0 ppid=6687 pid=6689 auid=4294967295 uid=0 
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
ses=4294967295 comm="logrotate" exe="/usr/sbin/logrotate" 
subj=system_u:system_r:logrotate_t:s0 key=(null)
=================================================================

More information about the fedora-selinux-list mailing list