Summary: | sec-policy/selinux-logwatch lacks correct fcontext | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Stan Sander <stsander> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | alunduil, selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r6 | ||
Package list: | Runtime testing required: | --- |
Description
Stan Sander
2012-10-18 19:42:57 UTC
I'm guessing this is due to a move of the executable to /usr/sbin/logwatch.pl. The current policies show that this script is expected in /usr/share/logwatch/scripts/logwatch\.pl: /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) Full: /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) /usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) /var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0) /var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) /var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) /var/lock/logcheck.* gen_context(system_u:object_r:logwatch_lock_t,s0) /var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0) The full filecontext file shows that there is no rule in the logwatch.fc policy covering /usr/sbin/logwatch.pl. Should we change the policy to include both locations or simply update it to have the new location? Just adding the context to it should be sufficient; we'll need to "support" some form of backwards compatibility anyhow. I've sent it upstream, and since it's a contrib module it'll get in rather quickly. Merged upstream, will be in r6 In hardened-dev, r6 release In main tree, ~arch'ed r8 is now stable |