SELinux is preventing /usr/sbin/mcelog from 'create open' accesses on the file /var/log/mcelog.

SELinux is preventing /usr/sbin/mcelog from 'write add_name' accesses on the directory /var/log.

Description of Problem:

This occurs when the mcelog cron job runs. The default cron job reads as follows:
/usr/sbin/mcelog --ignorenodev --filter >>/var/log/mcelog

An alternative (documented) method, avoiding the shell redirect, is:

/usr/sbin/mcelog --ignorenodev --filter --logfile=/var/log/mcelog

The first (redirect) method produces a file with this context:

system_u:object_r:cron_log_t:s0 

(This is also the context produced by restorecon)

The second method produces a file with this context:

system_u:object_r:var_log_t:s0

To get the second one to function, regardless of whether the logfile existed or had been created with a cron_log_t type, I needed to do the following:


#============= start module mcelog.te ==============
module mcelog 1.0;

require {
	type mcelog_t;
	type var_log_t;
	type cron_log_t;
	class file { create open };
	class dir { write add_name };
}

#============= mcelog_t ==============
allow mcelog_t cron_log_t:file open;
allow mcelog_t var_log_t:dir { write add_name };
allow mcelog_t var_log_t:file { create open };

#============= end module mcelog.te ==============

The ONLY other cron job I could find on my system that uses a shell redirect to a logfile is prelink, but that has its own context of prelink_log_t. It seems sensible to me to have mcelog follow that route and have a type of mcelog_log_t, but I leave that to wiser heads.



#============= other info ==============

Source Path                   /usr/sbin/mcelog
Source RPM Packages           mcelog-0.9pre1-0.1.fc13
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Platform                      Linux (removed) 2.6.35.13-92.fc14.x86_64 #1 SMP Sat
                              May 21 17:26:25 UTC 2011 x86_64 x86_64