[DSE-Dev] Bug#763600: selinux-policy-default: "su" option in logrotate is blocked by SELinux dontaudit rule

Bart-Jan Vrielink bartjan at vrielink.net
Wed Oct 1 08:48:22 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Dear Maintainer,

3rd party package puppetdb uses a logrotate configuration that includes the
"su puppetdb puppetdb" option. This does not work together with the default
SELinux policy, because of the following policy rule:

root at zarquon:~# sesearch -t logrotate_t -s logrotate_t --dontaudit
Found 1 semantic av rules:
   dontaudit logrotate_t logrotate_t : capability { setgid setuid sys_ptrace } ; 

root at zarquon:~# 

This results in the following in the audit logs (after rebuilding the policy
to show dontaudit rules):
----
time->Tue Sep 30 06:25:04 2014
type=SYSCALL msg=audit(1412051104.718:1470): arch=c000003e syscall=119 success=no exit=-1 a0=ffffffffffffffff a1=79 a2=ffffffffffffffff a3=0 items=0 ppid=29053 pid=29054 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1227 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1412051104.718:1470): avc:  denied  { setgid } for pid=29054 comm="logrotate" capability=6 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=capability
----

As this is apparently explicityly disallowed (and very hard to troubleshoot,
given the dontaudit rule), I'm reluctant to modify the policy myself without
understanding why this rule is in place. If this bug(?) does not get fixed, then
at least please educate me on the reason why this policy rule is in place and
what the implications are of overruling it.

By the way:
ii  logrotate                                3.8.1-4                   amd64                     Log rotation utility

-- System Information:
Debian Release: 7.6
  APT prefers stable
  APT policy: (990, 'stable'), (900, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information

More information about the SELinux-devel mailing list