9:50 a.m.
Hello everybody,
every night cron calls epylog and it launches links.
links wants to create a temporary file links.tmp and write to ~/.links
directory and to check bookmarks/history and other files.
As epylog is run as root, admin_home is affected.
If run from a cli, no alert is displayed.
It is (probably) run from publishers.py at line 264:
exitcode = os.system('%s -dump %s > %s 2>/dev/null'
% (self.lynx, htmlfile, plainfile)
As a2a recommends, it is easy to make a local policy file.
#============= logwatch_t ==============
#!!!! The source type 'logwatch_t' can write to a 'dir' of the following
types:
# logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:dir { write remove_name add_name setattr };
#!!!! The source type 'logwatch_t' can write to a 'file' of the following
types:
# logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:file { rename write read create unlink open };
(and similar).
This looks to me as too big unconfining.
I think that relabeling of .elinks directory and its files are better solution.
Maybe this is a job for transition which I am not still familiar with.
But I am also surprised that this happen to nobody else, as most of the
epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.
Thanks in advance,
--
--Zdenek Pytela, <pytela(a)phil.muni.cz>
10:14 a.m.
On Thu, Sep 20, 2012 at 10:50 AM, Zdenek Pytela <pytela(a)phil.muni.cz> wrote:
Hello everybody,
every night cron calls epylog and it launches links.
links wants to create a temporary file links.tmp and write to ~/.links
directory and to check bookmarks/history and other files.
As epylog is run as root, admin_home is affected.
If run from a cli, no alert is displayed.
It is (probably) run from publishers.py at line 264:
exitcode = os.system('%s -dump %s > %s 2>/dev/null'
% (self.lynx, htmlfile, plainfile)
Hi, Zdenek:
You can either dontaudit that, or set this in your epylog.conf:
lynx = /usr/bin/elinks -config-dir /var/lib/epylog/.elinks
Best,
--
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
9:34 a.m.
Konstantin Ryabitsev pise:
On Thu, Sep 20, 2012 at 10:50 AM, Zdenek Pytela
<pytela(a)phil.muni.cz> wrote:
> Hello everybody,
> every night cron calls epylog and it launches links.
> links wants to create a temporary file links.tmp and write to ~/.links
> directory and to check bookmarks/history and other files.
> As epylog is run as root, admin_home is affected.
> If run from a cli, no alert is displayed.
> It is (probably) run from publishers.py at line 264:
>
> exitcode = os.system('%s -dump %s > %s 2>/dev/null'
> % (self.lynx, htmlfile, plainfile)
>
Hi, Zdenek:
You can either dontaudit that, or set this in your epylog.conf:
lynx = /usr/bin/elinks -config-dir /var/lib/epylog/.elinks
Nice workaround. I have
just find another one in the elinks man
page: -no-home, it is much shorter ;-). Thanks,
--
--Zdeněk Pytela, <pytela(a)phil.muni.cz>
CIT FF MU
+420 54949 5301
Servisní linka CIT: [54949]*1542*, cit-servis(a)phil.muni.cz
CIT servery a sítě: [54949]*1543*, cit-sys(a)phil.muni.cz
Hlášení závad, požadavky: http://www.phil.muni.cz/pozadavek/
8:36 a.m.
On 09/20/2012 04:50 PM, Zdenek Pytela wrote:
Hello everybody,
every night cron calls epylog and it launches links.
links wants to create a temporary file links.tmp and write to ~/.links
directory and to check bookmarks/history and other files.
As epylog is run as root, admin_home is affected.
If run from a cli, no alert is displayed.
It is (probably) run from publishers.py at line 264:
exitcode = os.system('%s -dump %s > %s 2>/dev/null'
% (self.lynx, htmlfile, plainfile)
As a2a recommends, it is easy to make a local policy file.
#============= logwatch_t ==============
#!!!! The source type 'logwatch_t' can write to a 'dir' of the following
types:
# logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:dir { write remove_name add_name setattr };
#!!!! The source type 'logwatch_t' can write to a 'file' of the following
types:
# logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:file { rename write read create unlink open };
(and similar).
This looks to me as too big unconfining.
I think that relabeling of .elinks directory and its files are better solution.
Maybe this is a job for transition which I am not still familiar with.
But I am also surprised that this happen to nobody else, as most of the
epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.
Thanks in advance,
What OS?
# rpm -q selinux-policy
Is this
~/.links
default location?
9:47 a.m.
Miroslav Grepl pise:
On 09/20/2012 04:50 PM, Zdenek Pytela wrote:
> Hello everybody,
>every night cron calls epylog and it launches links.
>links wants to create a temporary file links.tmp and write to ~/.links
>directory and to check bookmarks/history and other files.
>As epylog is run as root, admin_home is affected.
>If run from a cli, no alert is displayed.
>It is (probably) run from publishers.py at line 264:
>
>exitcode = os.system('%s -dump %s > %s 2>/dev/null'
> % (self.lynx, htmlfile, plainfile)
>
>As a2a recommends, it is easy to make a local policy file.
>
>#============= logwatch_t ==============
>#!!!! The source type 'logwatch_t' can write to a 'dir' of the
following types:
># logwatch_cache_t, logwatch_tmp_t
>
>allow logwatch_t admin_home_t:dir { write remove_name add_name setattr };
>#!!!! The source type 'logwatch_t' can write to a 'file' of the
following types:
># logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t
>
>allow logwatch_t admin_home_t:file { rename write read create unlink open };
>
>(and similar).
>This looks to me as too big unconfining.
>I think that relabeling of .elinks directory and its files are better solution.
>Maybe this is a job for transition which I am not still familiar with.
>But I am also surprised that this happen to nobody else, as most of the
>epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.
>
>Thanks in advance,
>
What OS?
f16, f17
# rpm -q selinux-policy
selinux-policy-3.10.0-91.fc16
selinux-policy-devel-3.10.0-146.fc17
latest at that time
Is this
~/.links
default location?
Yes it is:
elinks(1)
...
ELINKS_CONFDIR
The location of the directory containing configuration files. If
not set the default is ~/.elinks/.
...
and other references in the FILES section.
It can be changed or switched off.
--
--Zdenek Pytela, <pytela(a)phil.muni.cz>
3151
days inactive
3155
days old
selinux@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Konstantin Ryabitsev -
Miroslav Grepl -
Zdenek Pytela