Bug 430463
Summary: | AVC denial -- ntpd writing to /var/log/pm-suspend.log | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marketa Ceplova <marketa> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | mcepl, mlichvar, opensource |
Target Milestone: | --- | Keywords: | Reopened, SELinux |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-02-26 22:44:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marketa Ceplova
2008-01-28 09:08:17 UTC
Let's see what the selinux masters think about this. I don't think this is Dan's problem -- I really think that printout is useless and shouldn't be there in the first place. restorecon -R -v /var/log Whatever/Whoever create /var/log/pm-suspend.log created it with the wrong context. Allowing apps to write to var_log_t, would allow a compromised applications to zero out /var/log/messages. (In reply to comment #3) > restorecon -R -v /var/log > > Whatever/Whoever create /var/log/pm-suspend.log created it with the wrong > context. Allowing apps to write to var_log_t, would allow a compromised > applications to zero out /var/log/messages. Well, [root@narcis ~]# restorecon -v -R /var/log/ [root@narcis ~]# ls -lZ /var/log/pm-suspend.log -rw-rw-r-- root root system_u:object_r:hald_log_t /var/log/pm-suspend.log [root@narcis ~]# if there is something which needs to be fixed by restorecon, it didn't happen apparently. (In reply to comment #4) > [root@narcis ~]# restorecon -v -R /var/log/ > [root@narcis ~]# ls -lZ /var/log/pm-suspend.log > -rw-rw-r-- root root system_u:object_r:hald_log_t /var/log/pm-suspend.log > [root@narcis ~]# > > if there is something which needs to be fixed by restorecon, it didn't happen > apparently. What do you mean? In the initial report /var/log/pm-suspend.log had type var_log_t, at after restorecon it is hald_log_t. Do you experience problems now after restorecon? Oh, I see -- I was confused by the silence of restorecon. OK, I will put myself in NEEDINFO and will let you know if something bad happens. This probably means that the file had already had it's file context corrected. pm-utils I believe runs restorecon when it recreates the file. |