Something like rm -f "$1" exec >> "$1" 2>&1 That way I can give confined domains, the ability to append to the log file rather then write, Write access allows a domain to truncate the log file.
In Rawhide we are generating AVC's like type=AVC msg=audit(1291386897.399:52): avc: denied { write } for pid=1824 comm="blockdev" path="/var/log/pm-powersave.log" dev=dm-0 ino=135133 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devicekit_var_log_t:s0 tclass=file Which indicates the blockdev command is trying to write to pm-powersave.log. # sesearch -A -s fsadm_t -t devicekit_var_log_t -c file -p append Found 3 semantic av rules: allow fsadm_t logfile : file { getattr append } ; I currently allow domains to append to log files.
After locally applying this change to /usr/lib64/pm-utils/pm-functions, booting appears "clean".
*** Bug 663995 has been marked as a duplicate of this bug. ***