Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 440128

Summary: =sec-policy/selinux-*-9999 needs allowance for metalog to append cron_log_t
Product: Gentoo Linux Reporter: Alex Brandt (RETIRED) <alunduil>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r7
Package list:
Runtime testing required: ---

Description Alex Brandt (RETIRED) gentoo-dev 2012-10-29 14:08:04 UTC 
The current 9999 policies don't allow metalog access to cron's log file:

type=AVC msg=audit(1351519480.989:14323): avc:  denied  { append } for  pid=629 comm="metalog" path="/var/log/cron/current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file

Unless there is an interface from cron (which I'm not seeing) the following should be all that is required:

allow syslogd_t cron_log_t:file append;

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-29 16:07:14 UTC 
Should be fixed (not only append, I tested it with syslog-ng here and when it wants to access a logfile, it needs write privileges and setattr privileges). It makes sense though to allow this for syslogd_t as it is a system logging domain.
Comment 2 Alex Brandt (RETIRED) gentoo-dev 2012-10-31 14:02:27 UTC 
Looks like metalog also needs a few more priveleges since it handles logrotation itself as well:

type=AVC msg=audit(1351641602.136:1580): avc:  denied  { unlink } for  pid=622 comm="metalog" name="log-2012-10-25-00:00:02" dev="xvda1" ino=532655 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file
type=AVC msg=audit(1351641602.136:1581): avc:  denied  { rename } for  pid=622 comm="metalog" name="current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file
type=AVC msg=audit(1351641602.136:1582): avc:  denied  { unlink } for  pid=622 comm="metalog" name="current" dev="xvda1" ino=532661 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file
type=AVC msg=audit(1351641880.119:1596): avc:  denied  { read } for  pid=622 comm="metalog" name=".timestamp" dev="xvda1" ino=532664 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cron_log_t tclass=file
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-10 17:43:30 UTC 
Ok, send full manage rights upstream.

There was some discussion on whether or not syslog should manage non-generic log files, and there might be another solution to be found to handle this more appropriately...
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-12 21:31:48 UTC 
Committed in repo (so available in live ebuilds) and will be part of r7.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-14 21:11:35 UTC 
r7 is now in hardened-dev
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 15:25:57 UTC 
In main tree, ~arch'ed
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:11:53 UTC 
r8 is now stable