commit:     5296c2b1094c7426469ece96dd90387022c83ec9
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 18:41:39 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 18:41:39 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5296c2b1

sysstat: exec shell and read logs

The cron entry runs a shell script and needs to be able to read
its logs

type=AVC msg=audit(1436639401.545:833311): avc:  denied  { read } for
pid=10340 comm="sa1" path="/bin/bash" dev="md3" ino=14263160
scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:shell_exec_t tclass=file
type=SYSCALL msg=audit(1436639401.545:833311): arch=c000003e syscall=10
success=yes exit=0 a0=d9545b6e000 a1=3000 a2=1 a3=76a19c4ec148 items=0
ppid=10330 pid=10340 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1211 comm="sa1" exe="/bin/bash"
subj=system_u:system_r:sysstat_t key=(null)
type=AVC msg=audit(1436639401.549:833312): avc:  denied  { read } for
pid=10340 comm="sadc" name="sa12" dev="md3" ino=9183233
scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:sysstat_log_t tclass=file

 policy/modules/contrib/sysstat.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/contrib/sysstat.te 
b/policy/modules/contrib/sysstat.te
index fd167ee..65da9ae 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -67,3 +67,8 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
 optional_policy(`
        cron_system_entry(sysstat_t, sysstat_exec_t)
 ')
+
+ifdef(`distro_gentoo',`
+       corecmd_exec_shell(sysstat_t)
+       read_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+')

Reply via email to