756812 – Add selinux type for file /run/mcelog.pid

Bug 756812 - Add selinux type for file /run/mcelog.pid

Summary: Add selinux type for file /run/mcelog.pid

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	756811
TreeView+	depends on / blocked

Reported:	2011-11-24 17:03 UTC by David Jaša
Modified:	2011-12-13 09:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-13 09:07:02 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description David Jaša 2011-11-24 17:03:32 UTC

Description of problem:
SSIA. If I understand SELinux policies correctly, a clean fix for bug 756811 involves adding special type /run/mcelog.pid that only mcelog will get processes with scontext=system_u:system_r:mcelog_t:s0 will able to modify.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 David Jaša 2011-11-24 17:05:24 UTC

typo: "type /run/mcelog.pid" --> "type for file /run/mcelog.pid"

Comment 2 David Jaša 2011-11-24 17:57:32 UTC

After further investigation, it seems that the only problem is a wrong context for file /var/run/mcelog.pid in policy, when changed to mcelo_var_run_t, after running:

semanage fcontext -a -t mcelog_var_run_t /var/run/mcelog.pid

and restoring context, all AVCs are gone.

Note You need to log in before you can comment on or make changes to this bug.