commit: 430ece6c0478072338d29aaff7f9d842c77b35b6
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 18:41:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=430ece6c
sysstat: exec shell and read logs
The cron entry runs a shell script and needs to be able to manage its
logs
type=AVC msg=audit(1436639401.545:833311): avc: denied { read } for pid=10340
comm="sa1" path="/bin/bash" dev="md3" ino=14263160
scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:shell_exec_t
tclass=file
type=AVC msg=audit(1436639401.549:833312): avc: denied { read } for pid=10340
comm="sadc" name="sa12" dev="md3" ino=9183233
scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t
tclass=file
type=AVC msg=audit(1436716381.830:836456): avc: denied { write } for
pid=31504 comm="sa2" path="/var/log/sa/sar12" dev="md3" ino=9183238
scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t
tclass=file
type=AVC msg=audit(1436716381.909:836457): avc: denied { unlink } for
pid=31506 comm="rm" name="sar20" dev="md3" ino=9183237
scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t
tclass=file
policy/modules/contrib/sysstat.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/sysstat.te
b/policy/modules/contrib/sysstat.te
index fd167ee..c4af8d9 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -67,3 +67,8 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ corecmd_exec_shell(sysstat_t)
+ manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+')