Summary: | sandbox logging is disabled in enforcing mode | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Amadeusz Sławiński <amade> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r8 | ||
Package list: | Runtime testing required: | --- |
Description
Amadeusz Sławiński
2012-11-14 20:50:36 UTC
I think I got it (created a lot of links to one file with var_log_t context after restorecon) Enforcing: Nov 14 23:46:53 lain kernel: [49948.096304] type=1400 audit(1352933213.845:1496): avc: denied { write } for pid=742 comm="sandbox" name="sandbox" dev="dm-0" ino=2490386 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=system_u:object_r:var_log_t tclass=dir Permissive: Nov 14 23:47:12 lain kernel: [49966.622178] type=1400 audit(1352933232.408:1498): avc: denied { write } for pid=877 comm="sandbox" name="sandbox" dev="dm-0" ino=2490386 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=system_u:object_r:var_log_t tclass=dir Nov 14 23:47:12 lain kernel: [49966.622201] type=1400 audit(1352933232.408:1499): avc: denied { remove_name } for pid=877 comm="sandbox" name="sandbox-877.log" dev="dm-0" ino=2492418 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=system_u:object_r:var_log_t tclass=dir Nov 14 23:47:12 lain kernel: [49966.622220] type=1400 audit(1352933232.408:1500): avc: denied { unlink } for pid=877 comm="sandbox" name="sandbox-877.log" dev="dm-0" ino=2492418 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:object_r:var_log_t tclass=lnk_file Probably needs a separate type (either sandbox_log_t or portage_sandbox_log_t, depends a bit) as it seems to be very isolated (and specific). When SELinux is running in enforcing mode, any sandbox-trapped failures are not properly logged inside /var/log/sandbox. This means we need to allow this (as it is an important source for debugging). I *might* have a file transition towards portage_log_t if portage_sandbox_t writes inside a var_log_t, although I would like /var/log/sandbox to be something like sandbox_log_t. But then that means I'll need to have a sandbox module (which doesn't exist yet). Or I have it marked as portage_log_t, but that means that other applications using sandbox might suddenly not be able to write to this location. So the first thought is probably the best one to pick for now. Should be fixed in repo, will be in r8 r8 in hardened-dev overlay r8 is now in main tree, ~arch r8 is now stable |