Yeah, the actual access is fine. It's the check for access that doesn't work
because it checks for "write" permissions. We're reworking the check
upstream, but it's still a bit of an open question as to how to check for just
"append" access.
On 10/28/20 4:36 AM, 1966phils@xxxxxxxxx wrote:
> Not had a detailed look, but the logfile config looks like it opens in
> append mode:
>
> In config/cobbler/logging_config.conf:
>
> [handler_FileLogger]
> class=FileHandler
> level=DEBUG
> formatter=formatter
> args=('/var/log/cobbler/cobbler.log', 'a')
>
>
> On Sun, 2020-10-25 at 13:07 -0600, Orion Poplawski wrote:
>> Phil -
>>
>> Thanks for the pointer. It looks like cobbler is doing the
>> following
>> check:
>>
>> LOG_FILE = "/var/log/cobbler/cobbler.log"
>> if os.access(LOG_FILE, os.W_OK):
>>
>> and it looks like this access() check triggers the write denial. I'm
>> having difficulty finding a check just for append access. Any ideas?
>>
>> Orion
>>
>> On 10/24/20 10:33 PM, 1966phils@xxxxxxxxx wrote:
>>> Hi,
>>>
>>> From the policy it looks like cobbler should only be allowed to
>>> "append" to the log file and not "write" (overwrite) it:
>>>
>>> allow daemon logfile:file { append getattr ioctl lock };
>>>
>>> So the question is, why is cobbler doing something other than
>>> appending
>>> to its log?
>>>
>>> Cheers
>>> Phil
>>>
>>> On Sat, 2020-10-24 at 21:27 -0600, Orion Poplawski wrote:
>>>> I'm seeing the following on my Rawhide VM:
>>>>
>>>> type=AVC msg=audit(1603594049.879:534): avc: denied { write }
>>>> for
>>>> pid=1073 comm="cobblerd" name="cobbler.log" dev="dm-0" ino=663024
>>>> scontext=system_u:system_r:cobblerd_t:s0
>>>> tcontext=system_u:object_r:cobbler_var_log_t:s0 tclass=file
>>>> permissive=0
>>>>
>>>>
>>>> This makes no sense to me. sesearch seems to indicate that this
>>>> should
>>>> be allowed (as you would expect):
>>>>
>>>> # sesearch -s cobblerd_t -t cobbler_var_log_t --allow
>>>> allow cobblerd_t cobbler_var_log_t:dir { add_name getattr ioctl
>>>> lock
>>>> open search write };
>>>> allow cobblerd_t cobbler_var_log_t:file { create open read
>>>> setattr };
>>>> allow cobblerd_t file_type:filesystem getattr;
>>>> allow daemon logfile:file { append getattr ioctl lock };
>>>> allow domain file_type:blk_file map; [ domain_can_mmap_files
>>>> ]:True
>>>> allow domain file_type:chr_file map; [ domain_can_mmap_files
>>>> ]:True
>>>> allow domain file_type:file map; [ domain_can_mmap_files ]:True
>>>> allow domain file_type:lnk_file map; [ domain_can_mmap_files
>>>> ]:True
>>>>
>>>> selinux-policy-3.14.7-6.fc34.noarch
>>>> 5.10.0-0.rc0.20201021git071a0578b0ce.49.fc34.x86_64
>>>>
>>>> What am I missing?
>>>>
>>>> _______________________________________________
>>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> To unsubscribe send an email to
>>>> selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> _______________________________________________
>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> To unsubscribe send an email to
>>> selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>
>>
>
>
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@xxxxxxxx
Boulder, CO 80301 https://www.nwra.com/
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
