logwatch: fixes for logwatch

* Allow logwatch_t to getsched
* Allow logwatch_t to create logwatch_lock_t dirs
* Allow logwatch_mail_t to read/write pipe of crond

Fixes:
avc:  denied  { getsched } for  pid=1012 comm="sort"
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023
tcontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023 tclass=process
permissive=0

avc:  denied  { write } for  pid=269 comm="lockfile-create"
name="logcheck" dev="tmpfs" ino=12709
scontext=system_u:system_r:logwatch_t:s0-s15:c0.c1023
tcontext=system_u:object_r:logwatch_lock_t:s0 tclass=dir permissive=0

avc:  denied  { write } for  pid=1470 comm="sendmail"
path="pipe:[15133]" dev="pipefs" ino=15133
scontext=system_u:system_r:logwatch_mail_t:s0-s15:c0.c1023
tcontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tclass=fifo_file
permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Yi Zhao 2020-07-03 16:04:45 +08:00
parent 7d298ade4d
commit 6bb56e6158
1 changed files with 3 additions and 2 deletions

View File

@ -38,14 +38,14 @@ role system_r types logwatch_mail_t;
#
allow logwatch_t self:capability { dac_override dac_read_search setgid };
allow logwatch_t self:process signal;
allow logwatch_t self:process { signal getsched };
allow logwatch_t self:fifo_file rw_fifo_file_perms;
allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
allow logwatch_t logwatch_lock_t:file manage_file_perms;
manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
@ -191,4 +191,5 @@ logging_read_all_logs(logwatch_mail_t)
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
cron_rw_system_job_pipes(logwatch_mail_t)
cron_rw_pipes(logwatch_mail_t)
')