Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440128 - =sec-policy/selinux-*-9999 needs allowance for metalog to append cron_log_t
Summary: =sec-policy/selinux-*-9999 needs allowance for metalog to append cron_log_t
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r7
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-29 14:08 UTC by Alex Brandt (RETIRED)
Modified: 2012-12-13 10:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Brandt (RETIRED) gentoo-dev 2012-10-29 14:08:04 UTC
The current 9999 policies don't allow metalog access to cron's log file:

type=AVC msg=audit(1351519480.989:14323): avc:  denied  { append } for  pid=629 comm="metalog" path="/var/log/cron/current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file

Unless there is an interface from cron (which I'm not seeing) the following should be all that is required:

allow syslogd_t cron_log_t:file append;

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-29 16:07:14 UTC
Should be fixed (not only append, I tested it with syslog-ng here and when it wants to access a logfile, it needs write privileges and setattr privileges). It makes sense though to allow this for syslogd_t as it is a system logging domain.
Comment 2 Alex Brandt (RETIRED) gentoo-dev 2012-10-31 14:02:27 UTC
Looks like metalog also needs a few more priveleges since it handles logrotation itself as well:

type=AVC msg=audit(1351641602.136:1580): avc:  denied  { unlink } for  pid=622 comm="metalog" name="log-2012-10-25-00:00:02" dev="xvda1" ino=532655 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file
type=AVC msg=audit(1351641602.136:1581): avc:  denied  { rename } for  pid=622 comm="metalog" name="current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file
type=AVC msg=audit(1351641602.136:1582): avc:  denied  { unlink } for  pid=622 comm="metalog" name="current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file
type=AVC msg=audit(1351641880.119:1596): avc:  denied  { read } for  pid=622 comm="metalog" name=".timestamp" dev="xvda1" ino=532664 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-10 17:43:30 UTC
Ok, send full manage rights upstream.

There was some discussion on whether or not syslog should manage non-generic log files, and there might be another solution to be found to handle this more appropriately...
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-12 21:31:48 UTC
Committed in repo (so available in live ebuilds) and will be part of r7.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-14 21:11:35 UTC
r7 is now in hardened-dev
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 15:25:57 UTC
In main tree, ~arch'ed
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:11:53 UTC
r8 is now stable