0 Replies Latest reply on Nov 23, 2015 9:42 AM by muddyselene

    VirusScan Apache log directories installed with wrong SELinux context

    muddyselene

      I have deployed VirusScan Enterprise for Linux from my ePO to a Red Hat Enterprise Linux Server 6.5 64-bit client.  This client has SELinux in 'Enforcing' mode.  The deployment has created the directory /var/opt/NAI/LinuxShield/log/apache.  It has also created the logrotate configuration file /etc/logrotate.d/nailswebd.  The latter sets up a daily log rotation of 4 files in that Apache logs directory.  Each time the log rotation runs, I get the following error message in /var/log/messages:

       

      logrotate: ALERT exited abnormally with [1]

       

      I have found a Red Hat knowledgebase article (I am getting 'logrotate: ALERT exited abnormally with [1]' messages in logs when SELinux is in the Enforcing mode - Red …) that discusses this situation generally (i.e. not in the context of McAfee).  The problem appears to be that SELinux allows logrotate to get attributes of log files only where the context is var_log_t, whilst the directory /var/opt/NAI/LinuxShield/log/apache is created with context var_t.  The solution given by Red Hat is to use the semanage command to make a change of context persist across reboots. I found I needed to install this command by using yum to install the package policycoreutils-python.  I ran the following commands:

       

      semanage fcontext -a -t var_log_t '/var/opt/NAI/LinuxShield/log/apache(/.*)?'

      cat /etc/selinux/targeted/contexts/files/file_contexts.local # To check

      restorecon -Frvv /var/opt/NAI/LinuxShield/log/apache

       

      This did the trick: logrotate no longer generates errors. 

       

      There is also a McAfee knowledgebase article (McAfee KnowledgeBase -) that touches on this: it provides a solution of changing the ownership of the offending logs directory every time the McAfee Apache installation is started (but in a configuration file and directory path which currently doesn't even exist!), and of getting logrotate to su to user nails to rotate its logs.  I have to say this solution (which I've not tried) looks decidedly clunky. 

       

      My questions are:

      Which is the better method to handle this? 

      Is there a bug raised for this?  [Having done a nice, automatic deployment of VirusScan to multiple clients, it is a pain to have to go round each one of them to implement a workaround!] 

      Wouldn't the best solution be for McAfee to redesign things such that this logs directory falls within /var/log, where it will simply inherit the correct SELinux context (I believe) - and make it easier for us to find its log files, into the bargain?