Bug 660329 - Can you change init_logfile to append rather then write.
Summary: Can you change init_logfile to append rather then write.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: pm-utils
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Jaroslav Škarvada
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-06 15:04 UTC by Daniel Walsh
Modified: 2018-04-11 14:45 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-08 13:33:17 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Daniel Walsh 2010-12-06 15:04:44 UTC 
Something like


        rm -f "$1"
        exec >> "$1" 2>&1

That way I can give confined domains, the ability to append to the log file rather then write,  Write access allows a domain to truncate the log file.
Comment 1 Daniel Walsh 2010-12-06 15:07:30 UTC 
In Rawhide we are generating AVC's like

type=AVC msg=audit(1291386897.399:52): avc:  denied  { write } for
pid=1824 comm="blockdev" path="/var/log/pm-powersave.log" dev=dm-0
ino=135133 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:devicekit_var_log_t:s0 tclass=file


Which indicates the blockdev command is trying to write to pm-powersave.log.

# sesearch -A -s fsadm_t -t devicekit_var_log_t -c file -p append
Found 3 semantic av rules:
   allow fsadm_t logfile : file { getattr append } ; 

I currently allow domains to append to log files.
Comment 2 Tom London 2010-12-06 16:19:42 UTC 
After locally applying this change to /usr/lib64/pm-utils/pm-functions, booting appears "clean".
Comment 3 Daniel Walsh 2010-12-20 20:37:31 UTC 
*** Bug 663995 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.