Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 441736 - app-admin/mcelog-1.0_pre3 & sec-policy/selinux-mcelog-2.20120725-r6: default cron cannot append logfile
Summary: app-admin/mcelog-1.0_pre3 & sec-policy/selinux-mcelog-2.20120725-r6: default ...
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-04 12:49 UTC by Vincent Brillault
Modified: 2012-11-07 20:24 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Brillault 2012-11-04 12:49:12 UTC 
app-admin/mcelog-1.0_pre3 comes with a default daily cron. This cron executes the following code: 
'/usr/sbin/mcelog --ignorenodev --filter | sed "s,^,$header,g" >> /var/log/mcelog'

This result in the following AVC:
avc:  denied  { append } for  pid=20293 comm="mcelog" name="mcelog" dev="sda1" ino=573231 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:mcelog_log_t tclass=file

There is a bunch of selinux booleans but I didn't find any that would solve this problem. Wouldn't it be safe to add the following rule ?
append_files_pattern(system_cronjob_t, mcelog_log_t, mcelog_log_t)

The other solution would be to change the default cron, using the --logfile option or the --syslog, but that would change the default behaviour.
Comment 1 Vincent Brillault 2012-11-07 20:24:09 UTC 
I just switched to the unstable version of mcelog, which introduces an init script for the mcelog daemon. The mcelog daemon have the rights to append to this log thus the bug doesn't exist.

The mcelog cron system seems to be somehow deprecated thus it is probably unnecessary to modify the policy, sorry for the trouble.