Re: Strange denials
Not had a detailed look, but the logfile config looks like it opens in
append mode:
In config/cobbler/logging_config.conf:
[handler_FileLogger]
class=FileHandler
level=DEBUG
formatter=formatter
args=('/var/log/cobbler/cobbler.log', 'a')
On Sun, 2020-10-25 at 13:07 -0600, Orion Poplawski wrote:
Phil -
Thanks for the pointer. It looks like cobbler is doing the
following
check:
LOG_FILE = "/var/log/cobbler/cobbler.log"
if os.access(LOG_FILE, os.W_OK):
and it looks like this access() check triggers the write denial. I'm
having difficulty finding a check just for append access. Any ideas?
Orion
On 10/24/20 10:33 PM, 1966phils(a)gmail.com wrote:
> Hi,
>
> From the policy it looks like cobbler should only be allowed to
> "append" to the log file and not "write" (overwrite) it:
>
> allow daemon logfile:file { append getattr ioctl lock };
>
> So the question is, why is cobbler doing something other than
> appending
> to its log?
>
> Cheers
> Phil
>
> On Sat, 2020-10-24 at 21:27 -0600, Orion Poplawski wrote:
> > I'm seeing the following on my Rawhide VM:
> >
> > type=AVC msg=audit(1603594049.879:534): avc: denied { write }
> > for
> > pid=1073 comm="cobblerd" name="cobbler.log"
dev="dm-0" ino=663024
> > scontext=system_u:system_r:cobblerd_t:s0
> > tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file
> > permissive=0
> >
> >
> > This makes no sense to me. sesearch seems to indicate that this
> > should
> > be allowed (as you would expect):
> >
> > # sesearch -s cobblerd_t -t cobbler_var_log_t --allow
> > allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl
> > lock
> > open search write };
> > allow cobblerd_t cobbler_var_log_t:file { create open read
> > setattr };
> > allow cobblerd_t file_type:filesystem getattr;
> > allow daemon logfile:file { append getattr ioctl lock };
> > allow domain file_type:blk_file map; [ domain_can_mmap_files
> > ]:True
> > allow domain file_type:chr_file map; [ domain_can_mmap_files
> > ]:True
> > allow domain file_type:file map; [ domain_can_mmap_files ]:True
> > allow domain file_type:lnk_file map; [ domain_can_mmap_files
> > ]:True
> >
> > selinux-policy-3.14.7-6.fc34.noarch
> > 5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64
> >
> > What am I missing?
> >
> > _______________________________________________
> > selinux mailing list -- selinux(a)lists.fedoraproject.org
> > To unsubscribe send an email to
> > selinux-leave(a)lists.fedoraproject.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to
> selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>