Description of problem: The aide utility cannot write /var/log/aide.log. It attempts to create it at SystemHigh. But it causes a constraint violations because the /var/log/is ranged. It either needs an MLS override or its own SystemHigh /var/log/aide directory. After discussion, the later solution seems preferable. Version-Release number of selected component (if applicable): aide-0.12-8.el5 How reproducible: run aide --init Steps to Reproduce: 1. Install the LSPP evaluated configuration 2. run aide --init 3. See the message complaining that aide cannot open /var/log/aide.log 4. audit2why < /var/log/audit/audit.log 5. See that it is a constraint violation Actual results: Couldn't open file /var/lib/aide/aide.db.new.gz for writing Expected results: aide should initialize its database and writes its log file without complaint. Additional info:
Created attachment 152866 [details] Adds /var/log/aide to spec file. LSPP-specific aide configuration seems to be done outside the build tree. This patch is directly against SPECS/aide.spec. Built but not tested.
Created attachment 152867 [details] Sets aide log file path to /var/log/aide/aide.log LSPP-specific aide configuration seems to be done outside the build tree. This patch is directly against SOURCES/aide.conf. Built but not tested.
Created attachment 152868 [details] Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts Built but not tested.
Created attachment 152901 [details] Adds /var/log/aide and /var/log/aide/.* aide_t:SystemHigh fcontexts Tested previous patch and updated it. aide requires additional TE perms as well. aide with the above 2 patches seems to work well with this patch.
aide-0.12-9 was built. I think we still need selinux-policy package built.
Fixed in Selinus-policy- 2.4.6-60
Ok, looks like we are ready for re-test. Thanks.
Thanks for making the changes. The aide package looks OK. The -60 policy adds the file contexts but not the additional TE perms in my 2nd attempt at the patch. So I still have to add a module with allow aide_t aide_log_t:dir { add_name write }; to permit aide to create its log file. I think we'll need that allow rule or an interface that provides the same permissions.
This looks good with the 62 policy.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0539.html