Re: policy rpm %post script encounters avc violations

[Paul Howarth <paul city-fan org>]

On Tue, 26 Aug 2008 16:02:15 -0400
"Johnson, Richard" <Richard Johnson stratus com> wrote:

> When installing a policy rpm, one cannot log the install activity w/o
> generating avc errors.  For example:
> 
> rpm -i lsb-ft-asn-selinux > /var/log/rpm-update.log
> 
> produces the following violation:
> 
> type=SYSCALL msg=audit(1219774608.030:789): arch=c000003e syscall=59
> success=yes exit=0 a0=be952e0 a1=be93390 a2=be958f0 a3=8 items=0
> ppid=2848 pid=2875 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=ttyS1 ses=2 comm="restorecon"
> exe="/sbin/restorecon" subj=root:system_r:restorecon_t:s0-s0:c0.c1023
> key=(null) type=AVC msg=audit(1219774608.030:789): avc:  denied
> { write } for pid=2875 comm="restorecon"
> path="/var/log/rpm-update.log" dev=md2 ino=2694055
> scontext=root:system_r:restorecon_t:s0-s0:c0.c1023
> tcontext=root:object_r:var_log_t:s0 tclass=file
> 
> The problems seems to stem from recording the %post script's attempts
> to relabel files affected by the policy, specifically:
> 
> /sbin/restorecon -F -R -v /opt/ft/sbin/sra_alarm;
> /sbin/restorecon -F -R -v /etc/opt/ft/asn;
> /sbin/restorecon -F -R -v /var/opt/ft/asn;
> /sbin/restorecon -F -R -v /var/opt/ft/log;
> 
> Is there any way to preserve the logging w/o disabling selinux for the
> duration of the install?
> 
> FWIW, the rpm commands are executed from a bash script.

You could try logging to a file with a different context type, e.g.

rpm -i lsb-ft-asn-selinux > /tmp/rpm-update.log

and then move the resulting file to /var/log if you need it to be
there. I'm not sure if restorecon_t can write to temp files but it's
probably more likely that writing to var_log_t, which is currently
what's being denied.

Paul.