Summary: | =sec-policy/selinux-*-9999 needs allowance for metalog to append cron_log_t | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alex Brandt (RETIRED) <alunduil> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r7 | ||
Package list: | Runtime testing required: | --- |
Description
Alex Brandt (RETIRED)
2012-10-29 14:08:04 UTC
Should be fixed (not only append, I tested it with syslog-ng here and when it wants to access a logfile, it needs write privileges and setattr privileges). It makes sense though to allow this for syslogd_t as it is a system logging domain. Looks like metalog also needs a few more priveleges since it handles logrotation itself as well: type=AVC msg=audit(1351641602.136:1580): avc: denied { unlink } for pid=622 comm="metalog" name="log-2012-10-25-00:00:02" dev="xvda1" ino=532655 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file type=AVC msg=audit(1351641602.136:1581): avc: denied { rename } for pid=622 comm="metalog" name="current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file type=AVC msg=audit(1351641602.136:1582): avc: denied { unlink } for pid=622 comm="metalog" name="current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file type=AVC msg=audit(1351641880.119:1596): avc: denied { read } for pid=622 comm="metalog" name=".timestamp" dev="xvda1" ino=532664 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file Ok, send full manage rights upstream. There was some discussion on whether or not syslog should manage non-generic log files, and there might be another solution to be found to handle this more appropriately... Committed in repo (so available in live ebuilds) and will be part of r7. r7 is now in hardened-dev In main tree, ~arch'ed r8 is now stable |