Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 236855 - LSPP: aide can't write its log file
Summary: LSPP: aide can't write its log file
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: aide
Version: 5.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Steve Conklin
QA Contact: Tom Kincaid
URL:
Whiteboard:
Depends On:
Blocks: RHEL5LSPPCertTracker
TreeView+ depends on / blocked
 
Reported: 2007-04-18 00:47 UTC by George C. Wilson
Modified: 2007-11-30 22:07 UTC (History)
4 users (show)

Fixed In Version: RHSA-2007-0539
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-04 14:03:02 UTC
Target Upstream Version:


Attachments (Terms of Use)
Adds /var/log/aide to spec file. (deleted)
2007-04-18 01:08 UTC, George C. Wilson
no flags Details | Diff
Sets aide log file path to /var/log/aide/aide.log (deleted)
2007-04-18 01:10 UTC, George C. Wilson
no flags Details | Diff
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts (deleted)
2007-04-18 01:12 UTC, George C. Wilson
no flags Details | Diff
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts (deleted)
2007-04-18 13:22 UTC, George C. Wilson
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0539 normal SHIPPED_LIVE Moderate: aide security update 2007-09-04 14:02:57 UTC

Description George C. Wilson 2007-04-18 00:47:24 UTC
Description of problem:

The aide utility cannot write /var/log/aide.log. It attempts to create it at
SystemHigh. But it causes a constraint violations because the /var/log/is
ranged. It either needs an MLS override or its own SystemHigh /var/log/aide
directory. After discussion, the later solution seems preferable.

Version-Release number of selected component (if applicable):

aide-0.12-8.el5

How reproducible:

run aide --init

Steps to Reproduce:
1. Install the LSPP evaluated configuration
2. run aide --init
3. See the message complaining that aide cannot open /var/log/aide.log
4. audit2why < /var/log/audit/audit.log
5. See that it is a constraint violation
  
Actual results:

Couldn't open file /var/lib/aide/aide.db.new.gz for writing

Expected results:

aide should initialize its database and writes its log file without complaint.

Additional info:

Comment 1 George C. Wilson 2007-04-18 01:08:05 UTC
Created attachment 152866 [details]
Adds /var/log/aide to spec file.

LSPP-specific aide configuration seems to be done outside the build tree. This
patch is directly against SPECS/aide.spec. Built but not tested.

Comment 2 George C. Wilson 2007-04-18 01:10:12 UTC
Created attachment 152867 [details]
Sets aide log file path to /var/log/aide/aide.log

LSPP-specific aide configuration seems to be done outside the build tree. This
patch is directly against SOURCES/aide.conf. Built but not tested.

Comment 3 George C. Wilson 2007-04-18 01:12:00 UTC
Created attachment 152868 [details]
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts

Built but not tested.

Comment 5 George C. Wilson 2007-04-18 13:22:11 UTC
Created attachment 152901 [details]
Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts

Tested previous patch and updated it. aide requires additional TE perms as
well. aide with the above 2 patches seems to work well with this patch.

Comment 6 Steve Grubb 2007-04-18 21:53:57 UTC
aide-0.12-9 was built. I think we still need selinux-policy package built.

Comment 7 Daniel Walsh 2007-04-19 02:35:59 UTC
Fixed in Selinus-policy- 2.4.6-60

Comment 8 Steve Grubb 2007-04-19 13:20:39 UTC
Ok, looks like we are ready for re-test. Thanks.

Comment 9 George C. Wilson 2007-04-19 20:26:32 UTC
Thanks for making the changes. The aide package looks OK. The -60 policy adds
the file contexts but not the additional TE perms in my 2nd attempt at the
patch. So I still have to add a module with allow aide_t aide_log_t:dir {
add_name write }; to permit aide to create its log file. I think we'll need that
allow rule or an interface that provides the same permissions.

Comment 10 George C. Wilson 2007-04-21 00:12:52 UTC
This looks good with the 62 policy.

Comment 15 Red Hat Bugzilla 2007-09-04 14:03:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0539.html



Note You need to log in before you can comment on or make changes to this bug.