SELinux blocks logrotate access to systemd

Support for security such as Firewalls and securing linux
Post Reply
cherdt
Posts: 7
Joined: 2015/05/05 18:49:42
Location: Minneapolis, MN, USA
Contact:

SELinux blocks logrotate access to systemd

Post by cherdt » 2017/11/01 22:15:30

I have a postrotate script in /etc/logrotate.d/suricata to send a SIGHUP signal to the suricata process after its logs have been rotated:

Code: Select all

systemctl kill -q --signal=SIGHUP suricata
Which produces an error:

Code: Select all

Failed to kill unit suricata.service: Access denied
error: error running non-shared postrotate script for /var/log/suricata/eve.json of '/var/log/suricata/*.json'
The audit log contains the following related entry:

Code: Select all

type=USER_AVC msg=audit(1509555696.315:106570): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=0 uid=0 gid=0 path="/usr/lib/systemd/system/suricata.service" cmdline="systemctl kill -q --signal=SIGHUP suricata" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
However, if I change the postrotate script so that it sends the SIGHUP signal via kill instead of systemctl, it works:

Code: Select all

/bin/kill -s SIGHUP `cat /var/run/suricata/suricata.pid`
It seems unexpected that a SIGHUP signal from systemctl would be blocked by SELinux, but the same signal allowed from kill. I'm wondering if it's a bug with the SELinux policy, but I thought I'd run it by the community here.

cherdt
Posts: 7
Joined: 2015/05/05 18:49:42
Location: Minneapolis, MN, USA
Contact:

Re: SELinux blocks logrotate access to systemd

Post by cherdt » 2017/11/02 19:14:29

My systemd service file defines reload as sending a SIGHUP via kill:

Code: Select all

ExecReload=/bin/kill -HUP $MAINPID
SELinux is perfectly fine with the postrotate script running this:

Code: Select all

systemctl reload suricata
I'm guessing that SELinux is doing the right thing here, and it's suricata that is doing something non-standard with SIGHUP. I found a page on SELinux systemd access control that Reload and Stop use different access checks.

Post Reply