commit: f03e69fce25a75b8c41d3ca79ea48e7792cd9589
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 18:41:39 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 19:56:34 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f03e69fc
sysstat: exec shell and read logs
The cron entry runs a shell script and needs to be able to read
its logs
type=AVC msg=audit(1436639401.545:833311): avc: denied { read } for
pid=10340 comm="sa1" path="/bin/bash" dev="md3" ino=14263160
scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:shell_exec_t tclass=file
type=SYSCALL msg=audit(1436639401.545:833311): arch=c000003e syscall=10
success=yes exit=0 a0=d9545b6e000 a1=3000 a2=1 a3=76a19c4ec148 items=0
ppid=10330 pid=10340 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=1211 comm="sa1" exe="/bin/bash"
subj=system_u:system_r:sysstat_t key=(null)
type=AVC msg=audit(1436639401.549:833312): avc: denied { read } for
pid=10340 comm="sadc" name="sa12" dev="md3" ino=9183233
scontext=system_u:system_r:sysstat_t
tcontext=system_u:object_r:sysstat_log_t tclass=file
policy/modules/contrib/sysstat.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/sysstat.te
b/policy/modules/contrib/sysstat.te
index fd167ee..65da9ae 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -67,3 +67,8 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
+
+ifdef(`distro_gentoo',`
+ corecmd_exec_shell(sysstat_t)
+ read_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+')