The current 9999 policies don't allow metalog access to cron's log file: type=AVC msg=audit(1351519480.989:14323): avc: denied { append } for pid=629 comm="metalog" path="/var/log/cron/current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file Unless there is an interface from cron (which I'm not seeing) the following should be all that is required: allow syslogd_t cron_log_t:file append; Reproducible: Always
Should be fixed (not only append, I tested it with syslog-ng here and when it wants to access a logfile, it needs write privileges and setattr privileges). It makes sense though to allow this for syslogd_t as it is a system logging domain.
Looks like metalog also needs a few more priveleges since it handles logrotation itself as well: type=AVC msg=audit(1351641602.136:1580): avc: denied { unlink } for pid=622 comm="metalog" name="log-2012-10-25-00:00:02" dev="xvda1" ino=532655 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file type=AVC msg=audit(1351641602.136:1581): avc: denied { rename } for pid=622 comm="metalog" name="current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file type=AVC msg=audit(1351641602.136:1582): avc: denied { unlink } for pid=622 comm="metalog" name="current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file type=AVC msg=audit(1351641880.119:1596): avc: denied { read } for pid=622 comm="metalog" name=".timestamp" dev="xvda1" ino=532664 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file
Ok, send full manage rights upstream. There was some discussion on whether or not syslog should manage non-generic log files, and there might be another solution to be found to handle this more appropriately...
Committed in repo (so available in live ebuilds) and will be part of r7.
r7 is now in hardened-dev
In main tree, ~arch'ed
r8 is now stable