Skip to content
Permalink
Browse files

Merge pull request #42 from cjeanner/logrotate/container_t

Allow logrotate to access and write within container_file_t
  • Loading branch information...
jpichon committed Sep 4, 2019
2 parents 8fb853f + 5e46652 commit 936ea4f907c283edf01cf6624cdaab9278ff6a91
Showing with 14 additions and 1 deletion.
  1. +1 −1 Makefile
  2. +9 −0 os-logrotate.te
  3. +4 −0 tests/bz1727937
@@ -1,4 +1,4 @@
TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-sensu
TARGETS?=os-ovs os-swift os-nova os-neutron os-mysql os-glance os-rsync os-rabbitmq os-keepalived os-keystone os-haproxy os-mongodb os-ipxe os-redis os-cinder os-httpd os-gnocchi os-collectd os-virt os-dnsmasq os-octavia os-podman os-rsyslog os-pbis os-barbican os-sensu os-logrotate
MODULES?=${TARGETS:=.pp.bz2}
DATADIR?=/usr/share
LOCALDIR?=/usr/share/openstack-selinux/master
@@ -0,0 +1,9 @@
policy_module(os-logrotate,0.1)

# Bugzilla 1727937
gen_require(`
type logrotate_t;
type container_file_t;
')
manage_files_pattern(logrotate_t, container_file_t, container_file_t)
manage_dirs_pattern(logrotate_t, container_file_t, container_file_t)
@@ -0,0 +1,4 @@
type=AVC msg=audit(1567480861.728:31696): avc: denied { write } for pid=683284 comm="logrotate" name="openvswitch" dev="sda2" ino=2881762 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1562508548.724:40): avc: denied { execute_no_trans } for pid=1212 comm="modprobe" path="/usr/bin/bash" dev="vda2" ino=4215568 scontext=system_u:system_r:openvswitch_load_module_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1562513521.955:5768): avc: denied { read } for pid=54302 comm="logrotate" name="openvswitch" dev="vda2" ino=1012142 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:container_file_t:s0 tclass=dir permissive=0

0 comments on commit 936ea4f

Please sign in to comment.
You can’t perform that action at this time.