Bug 2137323

Summary: SELinux is preventing syslogd_t to relabelfrom and relabelto var_log_t file
Product: [Fedora] Fedora Reporter: Patrik Koncity <pkoncity>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-24 13:13:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Koncity 2022-10-24 13:06:54 UTC 
Description of problem:
SELinux is preventing syslogd_t to relabelfrom and relabelto var_log_t file

Version-Release number of selected component (if applicable):
selinux-policy
keylime

Actual results:
Tests show denials.


Expected results:
Tests won't show any denials.


Additional info:
From keylime point of view, the denials not cause any fails in testsuite. So maybe possible way how to solve it is dontaudit these rules. I'm not able to reproduce, it appears only in CI.

time->Mon Oct 24 09:00:00 2022
type=AVC msg=audit(1666602000.233:861): avc:  denied  { relabelfrom } for  pid=542 comm="journal-offline" name=".#user-1000" dev="nvme0n1p5" ino=74421 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0



https://artifacts.dev.testing-farm.io/59192121-dab6-4a22-91be-d07f0335e0e9/
Comment 1 Patrik Koncity 2022-10-24 13:11:05 UTC 
Also need to dontaudit thise rule:

dontaudit syslogd_t var_log_t:file relabelto;
Comment 2 Zdenek Pytela 2022-10-24 13:13:20 UTC 

*** This bug has been marked as a duplicate of bug 2075527 ***