Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 852296 - sec-policy/selinux-usbguard doesn't allow access to logfile (with <sys-apps/usbguard-1.1.1-r3)
Summary: sec-policy/selinux-usbguard doesn't allow access to logfile (with <sys-apps/u...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-16 07:24 UTC by herypt
Modified: 2022-06-19 16:28 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description herypt 2022-06-16 07:24:46 UTC 
The SELinux policy assumes that the logfile for USBGuard is stored in /var/log/usbguard, but it's actually stored in /var/lib/log/usbguard

Reproducible: Always




type=AVC msg=audit(1655363620.660:467): avc:  denied  { search } for  pid=2277 comm="usbguard-daemon" name="lib" dev="sda2" ino=74106 scontext=system_u:system_r:usbguard_t tcontext=system_u:object_r:var_lib_t tclass=dir permissive=1
type=AVC msg=audit(1655363620.660:467): avc:  denied  { append } for  pid=2277 comm="usbguard-daemon" name="usbguard-audit.log" dev="sda2" ino=1502202 scontext=system_u:system_r:usbguard_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1
type=AVC msg=audit(1655363620.660:467): avc:  denied  { open } for  pid=2277 comm="usbguard-daemon" path="/var/lib/log/usbguard/usbguard-audit.log" dev="sda2" ino=1502202 scontext=system_u:system_r:usbguard_t tcontext=system_u:object_r:var_lib_t tclass=file permissive=1
Comment 1 Larry the Git Cow gentoo-dev 2022-06-19 16:21:28 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74e9230d7a8008f0d80dab7ef96e0a814c501946

commit 74e9230d7a8008f0d80dab7ef96e0a814c501946
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2022-06-19 16:00:03 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2022-06-19 16:20:27 +0000

    sys-apps/usbguard: Make logs go to /var/log not /var/lib/log
    
    As discussed with concord on IRC.
    Bug: https://bugs.gentoo.org/852296
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.30, Repoman-3.0.3

 sys-apps/usbguard/usbguard-1.1.1-r3.ebuild | 99 ++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)