Issue #8745: rsyslog audit SELinux rule is not loaded on F31+, floods system logs with AVCs - fedora-infrastructure

fedora-infrastructure

#8745 rsyslog audit SELinux rule is not loaded on F31+, floods system logs with AVCs

Closed: Fixed 4 years ago by kevin. Opened 4 years ago by adamwill.

It seems @kevin disabled the loading of the custom SELinux rule that avoids AVCs for some rsyslog / audit thing infra hosts do, on F31 and higher:

https://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=239f247757868a27df5802392ac24291eed931d0

that smells like it was supposed to be a quick hack, but it's still there months later, and it means most F31+ boxes in infra are going to have their logs flooded with AVCs like this:

Mar 12 05:02:47 openqa-aarch64-01.qa.fedoraproject.org audit[936]: AVC avc:  denied  { getattr } for  pid=936 comm="in:imfile" path="/var/log/audit" dev="sda4" ino=268630710 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=0
Mar 12 05:02:47 openqa-aarch64-01.qa.fedoraproject.org audit[936]: AVC avc:  denied  { search } for  pid=936 comm="in:imfile" name="audit" dev="sda4" ino=268630710 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=0
Mar 12 05:02:57 openqa-aarch64-01.qa.fedoraproject.org audit[936]: AVC avc:  denied  { getattr } for  pid=936 comm="in:imfile" path="/var/log/audit" dev="sda4" ino=268630710 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=0
Mar 12 05:02:57 openqa-aarch64-01.qa.fedoraproject.org audit[936]: AVC avc:  denied  { search } for  pid=936 comm="in:imfile" name="audit" dev="sda4" ino=268630710 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir permissive=0

...every ten seconds. Can we drop this hack now, or at least target it better? I've manually loaded the policy on the three boxes I care about that I noticed were affected (the new openQA aarch64 worker hosts), but I expect it'll be affecting others too.

kevin commented 4 years ago

we can, I don't recall if that was the f29 armv7 boxes or what... but we can't until after freeze. I don't think we want to do this until we are unfrozen.

adamwill commented 4 years ago

it must have been boxes you were deploying F31 on, or else the commit wouldn't make any sense :)

Metadata Update from @smooge:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

4 years ago

kevin commented 4 years ago

ok, whatever it was, it's gone now. I was able to load the module on a fedora 31 staging builder just fine.

I''ve reverted the commit. We may need to update the policy file to make sure it reloads everywhere....

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

Waiting on Assignee

fedora-infrastructure

Source Code

#8745 rsyslog audit SELinux rule is not loaded on F31+, floods system logs with AVCs Closed: Fixed 4 years ago by kevin. Opened 4 years ago by adamwill.

Metadata

#8745 rsyslog audit SELinux rule is not loaded on F31+, floods system logs with AVCs

Closed: Fixed 4 years ago by kevin. Opened 4 years ago by adamwill.