| Summary: | app-admin/mcelog-1.0_pre3 & sec-policy/selinux-mcelog-2.20120725-r6: default cron cannot append logfile | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Vincent Brillault <gentoo> |
| Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
| Status: | RESOLVED INVALID | ||
| Severity: | minor | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
I just switched to the unstable version of mcelog, which introduces an init script for the mcelog daemon. The mcelog daemon have the rights to append to this log thus the bug doesn't exist. The mcelog cron system seems to be somehow deprecated thus it is probably unnecessary to modify the policy, sorry for the trouble. |
app-admin/mcelog-1.0_pre3 comes with a default daily cron. This cron executes the following code: '/usr/sbin/mcelog --ignorenodev --filter | sed "s,^,$header,g" >> /var/log/mcelog' This result in the following AVC: avc: denied { append } for pid=20293 comm="mcelog" name="mcelog" dev="sda1" ino=573231 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:mcelog_log_t tclass=file There is a bunch of selinux booleans but I didn't find any that would solve this problem. Wouldn't it be safe to add the following rule ? append_files_pattern(system_cronjob_t, mcelog_log_t, mcelog_log_t) The other solution would be to change the default cron, using the --logfile option or the --syslog, but that would change the default behaviour.