Not had a detailed look, but the logfile config looks like it opens in
append mode:
In config/cobbler/logging_config.conf:
[handler_FileLogger]
class=FileHandler
level=DEBUG
formatter=formatter
args=('/var/log/cobbler/cobbler.log', 'a')
On Sun, 2020-10-25 at 13:07 -0600, Orion Poplawski wrote:
> Phil -
>
> Thanks for the pointer. It looks like cobbler is doing the
> following
> check:
>
> LOG_FILE = "/var/log/cobbler/cobbler.log"
> if os.access(LOG_FILE, os.W_OK):
>
> and it looks like this access() check triggers the write denial. I'm
> having difficulty finding a check just for append access. Any ideas?
>
> Orion
>
> On 10/24/20 10:33 PM, 1966phils@xxxxxxxxx wrote:
> > Hi,
> >
> > From the policy it looks like cobbler should only be allowed to
> > "append" to the log file and not "write" (overwrite) it:
> >
> > allow daemon logfile:file { append getattr ioctl lock };
> >
> > So the question is, why is cobbler doing something other than
> > appending
> > to its log?
> >
> > Cheers
> > Phil
> >
> > On Sat, 2020-10-24 at 21:27 -0600, Orion Poplawski wrote:
> > > I'm seeing the following on my Rawhide VM:
> > >
> > > type=AVC msg=audit(1603594049.879:534): avc: denied { write }
> > > for
> > > pid=1073 comm="cobblerd" name="cobbler.log" dev="dm-0" ino=663024
> > > scontext=system_u:system_r:cobblerd_t:s0
> > > tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file
> > > permissive=0
> > >
> > >
> > > This makes no sense to me. sesearch seems to indicate that this
> > > should
> > > be allowed (as you would expect):
> > >
> > > # sesearch -s cobblerd_t -t cobbler_var_log_t --allow
> > > allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl
> > > lock
> > > open search write };
> > > allow cobblerd_t cobbler_var_log_t:file { create open read
> > > setattr };
> > > allow cobblerd_t file_type:filesystem getattr;
> > > allow daemon logfile:file { append getattr ioctl lock };
> > > allow domain file_type:blk_file map; [ domain_can_mmap_files
> > > ]:True
> > > allow domain file_type:chr_file map; [ domain_can_mmap_files
> > > ]:True
> > > allow domain file_type:file map; [ domain_can_mmap_files ]:True
> > > allow domain file_type:lnk_file map; [ domain_can_mmap_files
> > > ]:True
> > >
> > > selinux-policy-3.14.7-6.fc34.noarch
> > > 5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64
> > >
> > > What am I missing?
> > >
> > > _______________________________________________
> > > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe send an email to
> > > selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > _______________________________________________
> > selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to
> > selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
> >
>
>
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
