Phil -

Thanks for the pointer. It looks like cobbler is doing the following check:

LOG_FILE = "/var/log/cobbler/cobbler.log" if os.access(LOG_FILE, os.W_OK):

and it looks like this access() check triggers the write denial. I'm having difficulty finding a check just for append access. Any ideas?

Orion

On 10/24/20 10:33 PM, 1966phils@gmail.com wrote:

Hi,

From the policy it looks like cobbler should only be allowed to "append" to the log file and not "write" (overwrite) it:

allow daemon logfile:file { append getattr ioctl lock };

So the question is, why is cobbler doing something other than appending to its log?

Cheers Phil

On Sat, 2020-10-24 at 21:27 -0600, Orion Poplawski wrote:

...

I'm seeing the following on my Rawhide VM:

type=AVC msg=audit(1603594049.879:534): avc: denied { write } for pid=1073 comm="cobblerd" name="cobbler.log" dev="dm-0" ino=663024 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file permissive=0

This makes no sense to me. sesearch seems to indicate that this should be allowed (as you would expect):

# sesearch -s cobblerd_t -t cobbler_var_log_t --allow allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl lock open search write }; allow cobblerd_t cobbler_var_log_t:file { create open read setattr }; allow cobblerd_t file_type:filesystem getattr; allow daemon logfile:file { append getattr ioctl lock }; allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True allow domain file_type:file map; [ domain_can_mmap_files ]:True allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True

selinux-policy-3.14.7-6.fc34.noarch 5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64

What am I missing?

---

selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...

---

selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...

Yeah, the actual access is fine. It's the check for access that doesn't work because it checks for "write" permissions. We're reworking the check upstream, but it's still a bit of an open question as to how to check for just "append" access.

On 10/28/20 4:36 AM, 1966phils@gmail.com wrote:

Not had a detailed look, but the logfile config looks like it opens in append mode:

In config/cobbler/logging_config.conf:

[handler_FileLogger] class=FileHandler level=DEBUG formatter=formatter args=('/var/log/cobbler/cobbler.log', 'a')

On Sun, 2020-10-25 at 13:07 -0600, Orion Poplawski wrote:

...

Phil -

Thanks for the pointer.  It looks like cobbler is doing the following check:

LOG_FILE = "/var/log/cobbler/cobbler.log" if os.access(LOG_FILE, os.W_OK):

and it looks like this access() check triggers the write denial.  I'm having difficulty finding a check just for append access.  Any ideas?

Orion

On 10/24/20 10:33 PM, 1966phils@gmail.com wrote:

...

Hi,

From the policy it looks like cobbler should only be allowed to "append" to the log file and not "write" (overwrite) it:

allow daemon logfile:file { append getattr ioctl lock };

So the question is, why is cobbler doing something other than appending to its log?

Cheers Phil

On Sat, 2020-10-24 at 21:27 -0600, Orion Poplawski wrote:

...

I'm seeing the following on my Rawhide VM:

type=AVC msg=audit(1603594049.879:534): avc:  denied  { write } for pid=1073 comm="cobblerd" name="cobbler.log" dev="dm-0" ino=663024 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file permissive=0

This makes no sense to me.  sesearch seems to indicate that this should be allowed (as you would expect):

# sesearch -s cobblerd_t -t cobbler_var_log_t --allow allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl lock open search write }; allow cobblerd_t cobbler_var_log_t:file { create open read setattr }; allow cobblerd_t file_type:filesystem getattr; allow daemon logfile:file { append getattr ioctl lock }; allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True allow domain file_type:file map; [ domain_can_mmap_files ]:True allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True

selinux-policy-3.14.7-6.fc34.noarch 5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64

What am I missing?

---

selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...

---

selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...