Bug#763600: selinux-policy-default: "su" option in logrotate is blocked by SELinux dontaudit rule

Bart-Jan Vrielink Wed, 01 Oct 2014 01:52:12 -0700

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Dear Maintainer,


3rd party package puppetdb uses a logrotate configuration that includes the
"su puppetdb puppetdb" option. This does not work together with the default
SELinux policy, because of the following policy rule:

root@zarquon:~# sesearch -t logrotate_t -s logrotate_t --dontaudit
Found 1 semantic av rules:
   dontaudit logrotate_t logrotate_t : capability { setgid setuid sys_ptrace } 
; 

root@zarquon:~# 

This results in the following in the audit logs (after rebuilding the policy
to show dontaudit rules):
----
time->Tue Sep 30 06:25:04 2014
type=SYSCALL msg=audit(1412051104.718:1470): arch=c000003e syscall=119 
success=no exit=-1 a0=ffffffffffffffff a1=79 a2=ffffffffffffffff a3=0 items=0 
ppid=29053 pid=29054 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) ses=1227 comm="logrotate" exe="/usr/sbin/logrotate" 
subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1412051104.718:1470): avc:  denied  { setgid } for pid=29054 
comm="logrotate" capability=6 
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
----

As this is apparently explicityly disallowed (and very hard to troubleshoot,
given the dontaudit rule), I'm reluctant to modify the policy myself without
understanding why this rule is in place. If this bug(?) does not get fixed, then
at least please educate me on the reason why this policy rule is in place and
what the implications are of overruling it.

By the way:
ii  logrotate                                3.8.1-4                   amd64    
                 Log rotation utility

-- System Information:
Debian Release: 7.6
  APT prefers stable
  APT policy: (990, 'stable'), (900, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission 
denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#763600: selinux-policy-default: "su" option in logrotate is blocked by SELinux dontaudit rule

Reply via email to