There is some hard-coded logic in libsandbox that causes access failures when a process tries to read /var/log/sandbox. https://gitweb.gentoo.org/proj/sandbox.git/tree/libsandbox/libsandbox.c?h=v2.24#n717 The associated comment mentions denying writes (not reads), so this read-denial behavior seems like a mistake.
Created attachment 714660 [details, diff] libsandbox: adjust hard-coded denial for /var/log/sandbox I think this will do the trick.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=96374d9bff64bcee64340f6572cca9f1cc3f696d commit 96374d9bff64bcee64340f6572cca9f1cc3f696d Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-06-08 15:08:54 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-09-07 15:31:07 +0000 libsandbox: adjust hard-coded denial for /var/log/sandbox Move this hack after the read checks, but before the write checks. This allows processes to read the log directory, but not write to it. This is helpful in case a process does something like this: find /var/log -name system.journal Bug: https://bugs.gentoo.org/794949 Signed-off-by: Mike Gilbert <floppym@gentoo.org> Closes: https://bugs.gentoo.org/794949 Signed-off-by: Michał Górny <mgorny@gentoo.org> libsandbox/libsandbox.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/sandbox.git/commit/?id=96374d9bff64bcee64340f6572cca9f1cc3f696d commit 96374d9bff64bcee64340f6572cca9f1cc3f696d Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2021-06-08 15:08:54 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-09-07 15:31:07 +0000 libsandbox: adjust hard-coded denial for /var/log/sandbox Move this hack after the read checks, but before the write checks. This allows processes to read the log directory, but not write to it. This is helpful in case a process does something like this: find /var/log -name system.journal Bug: https://bugs.gentoo.org/794949 Signed-off-by: Mike Gilbert <floppym@gentoo.org> Closes: https://bugs.gentoo.org/794949 Signed-off-by: Michał Górny <mgorny@gentoo.org> libsandbox/libsandbox.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-)