commit:     430ece6c0478072338d29aaff7f9d842c77b35b6
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 18:41:39 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 21:43:34 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=430ece6c

sysstat: exec shell and read logs

The cron entry runs a shell script and needs to be able to manage its
logs

type=AVC msg=audit(1436639401.545:833311): avc:  denied  { read } for pid=10340 
comm="sa1" path="/bin/bash" dev="md3" ino=14263160 
scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:shell_exec_t 
tclass=file
type=AVC msg=audit(1436639401.549:833312): avc:  denied  { read } for pid=10340 
comm="sadc" name="sa12" dev="md3" ino=9183233 
scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t 
tclass=file
type=AVC msg=audit(1436716381.830:836456): avc:  denied  { write } for  
pid=31504 comm="sa2" path="/var/log/sa/sar12" dev="md3" ino=9183238 
scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t 
tclass=file
type=AVC msg=audit(1436716381.909:836457): avc:  denied  { unlink } for  
pid=31506 comm="rm" name="sar20" dev="md3" ino=9183237 
scontext=system_u:system_r:sysstat_t tcontext=system_u:object_r:sysstat_log_t 
tclass=file

 policy/modules/contrib/sysstat.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/contrib/sysstat.te 
b/policy/modules/contrib/sysstat.te
index fd167ee..c4af8d9 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -67,3 +67,8 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
 optional_policy(`
        cron_system_entry(sysstat_t, sysstat_exec_t)
 ')
+
+ifdef(`distro_gentoo',`
+       corecmd_exec_shell(sysstat_t)
+       manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+')

Reply via email to