Phil -Thanks for the pointer. It looks like cobbler is doing the following check:
LOG_FILE = "/var/log/cobbler/cobbler.log" if os.access(LOG_FILE, os.W_OK):and it looks like this access() check triggers the write denial. I'm having difficulty finding a check just for append access. Any ideas?
Orion On 10/24/20 10:33 PM, 1966phils@xxxxxxxxx wrote:
Hi, From the policy it looks like cobbler should only be allowed to "append" to the log file and not "write" (overwrite) it: allow daemon logfile:file { append getattr ioctl lock }; So the question is, why is cobbler doing something other than appending to its log? Cheers Phil On Sat, 2020-10-24 at 21:27 -0600, Orion Poplawski wrote:I'm seeing the following on my Rawhide VM: type=AVC msg=audit(1603594049.879:534): avc: denied { write } for pid=1073 comm="cobblerd" name="cobbler.log" dev="dm-0" ino=663024 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file permissive=0 This makes no sense to me. sesearch seems to indicate that this should be allowed (as you would expect): # sesearch -s cobblerd_t -t cobbler_var_log_t --allow allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl lock open search write }; allow cobblerd_t cobbler_var_log_t:file { create open read setattr }; allow cobblerd_t file_type:filesystem getattr; allow daemon logfile:file { append getattr ioctl lock }; allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True allow domain file_type:file map; [ domain_can_mmap_files ]:True allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True selinux-policy-3.14.7-6.fc34.noarch 5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64 What am I missing? _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@xxxxxxxx Boulder, CO 80301 https://www.nwra.com/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
