I'm seeing the following on my Rawhide VM:
type=AVC msg=audit(1603594049.879:534): avc: denied { write } for
pid=1073 comm="cobblerd" name="cobbler.log" dev="dm-0"
ino=663024
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file permissive=0
This makes no sense to me. sesearch seems to indicate that this should
be allowed (as you would expect):
# sesearch -s cobblerd_t -t cobbler_var_log_t --allow
allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl lock
open search write };
allow cobblerd_t cobbler_var_log_t:file { create open read setattr };
allow cobblerd_t file_type:filesystem getattr;
allow daemon logfile:file { append getattr ioctl lock };
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
selinux-policy-3.14.7-6.fc34.noarch
5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64
What am I missing?
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
https://www.nwra.com/