Description of problem: $ ps -eZ |grep initrc system_u:system_r:initrc_t:s0 661 ? 00:00:00 abrt-watch-log I created an initial policy an run ausearch+audit2allow #============= abrt_watch_log_exec_t ============== allow abrt_watch_log_exec_t abrt_dump_oops_exec_t:file { read execute open execute_no_trans }; allow abrt_watch_log_exec_t abrt_etc_t:file { read getattr open }; allow abrt_watch_log_exec_t locale_t:file { read getattr open }; allow abrt_watch_log_exec_t var_log_t:file { read open }; I see: abrt-watch-log "This patch splits abrt-dump-oops into a generic log watcher tool, abrt-watch-log, and oops finder, which retains the name abrt-dump-oops" $ abrt-watch-log --help Usage: abrt-watch-log [-vs] [-F STR]... FILE PROG [ARGS] Watch log file FILE, run PROG when it grows or is replaced -v, --verbose Be verbose -s Log to syslog -F STR Don't run PROG if STRs aren't found So it means abrt-watch-log can run whatever? Do I understand correctly?
Why not run abrt_watch_log as logwatch_exec_t.
It needs execute abrt_dump_oops_exec_t and I think it will end up as unconfined.
Does the policy already exist? Can we close this bug?
Yes, we can close it. system_u:system_r:abrt_watch_log_t:s0 674 ? 00:00:00 abrt-watch-log