View Issue Details

IDProjectCategoryView StatusLast Update
0016760CentOS-7selinux-policypublic2019-12-04 03:22
Reportermarkfm 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0016760: SELinux is preventing /usr/sbin/rsyslogd from 'write' accesses on the directory log.
DescriptionDescription of problem:
It seems to happen after I install the 2600Hz Kazoo PBX and it's component software on a single server and then reboot. The steps I take for the installation can be found here: https://docs.2600hz.com/sysadmin/doc/install/install_via_centos7/. I am experimenting with this software, and this problem is reproducible.
SELinux is preventing /usr/sbin/rsyslogd from 'write' accesses on the directory log.

***** Plugin catchall_labels (83.8 confidence) suggests *******************

If you want to allow rsyslogd to have write access on the log directory
Then you need to change the label on log
Do
# semanage fcontext -a -t FILE_TYPE 'log'
where FILE_TYPE is one of the following: NetworkManager_log_t, abrt_var_log_t, acct_data_t, afs_logfile_t, aide_log_t, amanda_log_t, antivirus_log_t, apcupsd_log_t, apmd_log_t, asterisk_log_t, auth_cache_t, bacula_log_t, bitlbee_log_t, boinc_log_t, brltty_log_t, calamaris_log_t, callweaver_log_t, canna_log_t, ccs_var_lib_t, ccs_var_log_t, cert_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chronyd_var_log_t, cinder_log_t, cloud_log_t, cluster_var_log_t, cobbler_var_log_t, condor_log_t, conman_log_t, consolekit_log_t, container_log_t, couchdb_log_t, cron_log_t, ctdbd_log_t, cupsd_log_t, cyphesis_log_t, ddclient_log_t, deltacloudd_log_t, denyhosts_var_log_t, device_t, devicekit_var_log_t, dirsrv_snmp_var_log_t, dirsrv_var_log_t, dlm_controld_var_log_t, dnsmasq_var_log_t, dovecot_var_log_t, dspam_log_t, evtchnd_var_log_t, exim_log_t, fail2ban_log_t, faillog_t, fenced_var_log_t, fetchmail_log_t, fingerd_log_t, firewalld_var_log_t, foghorn_var_log_t, fsadm_log_t, ganesha_var_log_t, getty_log_t, gfs_controld_var_log_t, glance_log_t, glusterd_log_t, groupd_var_log_t, haproxy_var_log_t, httpd_log_t, icecast_log_t, inetd_log_t, initrc_var_log_t, innd_log_t, ipa_log_t, ipsec_log_t, iscsi_log_t, iwhd_log_t, jetty_log_t, jockey_var_log_t, kadmind_log_t, keystone_log_t, kismet_log_t, krb5_host_rcache_t, krb5kdc_log_t, ksmtuned_log_t, ktalkd_log_t, lastlog_t, mailman_log_t, mcelog_log_t, mdadm_log_t, minidlna_log_t, mirrormanager_log_t, mongod_log_t, motion_log_t, mpd_log_t, mrtg_log_t, munin_log_t, mysqld_log_t, mythtv_var_log_t, nagios_log_t, named_log_t, neutron_log_t, nova_log_t, nscd_log_t, nsd_log_t, ntpd_log_t, numad_var_log_t, openhpid_log_t, openshift_log_t, opensm_log_t, openvpn_status_t, openvpn_var_log_t, openvswitch_log_t, openwsman_log_t, osad_log_t, passenger_log_t, pcp_log_t, piranha_log_t, pkcs_slotd_log_t, pki_log_t, pki_ra_log_t, pki_tomcat_log_t, pki_tps_log_t, plymouthd_var_log_t, polipo_log_t, postgresql_log_t, pppd_log_t, pptp_log_t, prelink_log_t, prelude_log_t, privoxy_log_t, procmail_log_t, prosody_log_t, psad_var_log_t, puppet_log_t, pyicqt_log_t, qdiskd_var_log_t, rabbitmq_var_log_t, radiusd_log_t, redis_log_t, rhev_agentd_log_t, rhsmcertd_log_t, ricci_modcluster_var_log_t, ricci_var_log_t, rpm_log_t, rsync_log_t, rtas_errd_log_t, samba_log_t, sanlock_log_t, sectool_var_log_t, sendmail_log_t, sensord_log_t, setroubleshoot_var_log_t, shorewall_log_t, slapd_log_t, slpd_log_t, smsd_log_t, snapperd_log_t, snmpd_log_t, snort_log_t, spamd_log_t, speech-dispatcher_log_t, squid_log_t, sssd_var_log_t, stapserver_log_t, stunnel_log_t, sudo_log_t, svnserve_log_t, syslogd_tmp_t, syslogd_tmpfs_t, syslogd_var_lib_t, syslogd_var_run_t, sysstat_log_t, thin_aeolus_configserver_log_t, thin_log_t, tmp_t, tmpfs_t, tomcat_log_t, tor_var_log_t, tuned_log_t, ulogd_var_log_t, uucpd_log_t, var_lib_t, var_log_t, var_run_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, vmware_log_t, watchdog_log_t, winbind_log_t, wtmp_t, xdm_log_t, xend_var_log_t, xenstored_var_log_t, xferlog_t, xserver_log_t, zabbix_log_t, zarafa_deliver_log_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_spooler_log_t, zebra_log_t, zoneminder_log_t.
Then execute:
restorecon -v 'log'


***** Plugin catchall (17.1 confidence) suggests **************************

If you believe that rsyslogd should be allowed write access on the log directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rs:main Q:Reg' --raw | audit2allow -M my-rsmainQReg
# semodule -i my-rsmainQReg.pp

Additional Information:
Source Context system_u:system_r:syslogd_t:s0
Target Context system_u:object_r:usr_t:s0
Target Objects log [ dir ]
Source rs:main Q:Reg
Source Path /usr/sbin/rsyslogd
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-1062.4.3.el7.x86_64 #1 SMP
                              Wed Nov 13 23:58:53 UTC 2019 x86_64 x86_64
Alert Count 104
First Seen 2019-11-21 05:48:56 UTC
Last Seen 2019-11-21 20:25:58 UTC
Local ID 48c3fc97-8703-4b65-8438-9f1d4aaa8fb1

Raw Audit Messages
type=AVC msg=audit(1574367958.237:852): avc: denied { write } for pid=1379 comm=72733A6D61696E20513A526567 name="log" dev="sdb2" ino=11277552 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0


Hash: rs:main Q:Reg,syslogd_t,usr_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-252.el7.1.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1062.4.3.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hashf53ae2fc684b6c2ee63718f0bb89b9830f8108df71217db913ba421387dec406
URL

Activities

markfm

markfm

2019-12-04 03:22

reporter   ~0035792

I have fixed this issue with the following commands after completing the 2600Hz Kazoo PBX installation.
semanage fcontext -a -t couchdb_log_t /opt/kazoo/log
restorecon -v /opt/kazoo/log

Issue History

Date Modified Username Field Change
2019-11-21 20:46 markfm New Issue
2019-12-04 03:22 markfm Note Added: 0035792