[DSE-Dev] logsave used in checkfs and checkroot

Philip Tricca phil at noggle.biz
Mon Sep 17 21:56:56 UTC 2007 

hey all,

I'm wondering if anyone has thoughts on this one:  While playing with an 
Etch system, strict policy in enforcing mode I hit a problem in two scripts:

/etc/init.d/checkroot.sh
/etc/init.d/checkfs.sh

Both scripts use logsave to cache output from fsck (/var/log very well 
may not be mounted when these scripts run but I'm far from an expert). 
Eventually logsave then tries to write the output to 
/var/log/fsck/somefile.log which is labeled system_u:object_rfsadm_log_t

This caused some rolling avcs that I didn't wait around to see the end 
of.  These avcs were:

audit(1190054228.940:156): avc:  denied  { write } for  pid=868 
comm="logsave" name="checkroot" dev=hda ino=213062 
scontext=system_u:system_r:initrc_t:s0 
tcontext=system_u:object_r:fsadm_log_t:s0 tclass=file

audit(1190054229.504:157): avc:  denied  { write } for  pid=966 
comm="logsave" name="checkfs" dev=hda ino=213063 
scontext=system_u:system_r:initrc_t:s0 
tcontext=system_u:object_r:fsadm_log_t:s0 tclass=file

repeating ad nauseum.

Removing the logsave lines from the init scripts in question seems to 
have solved the problem (though I don't know where the output will be 
sent now ... syslog?) and I'm now able to log into Etch with only a few 
avcs.

The more I think about ways to fix this the more I realize what a sticky 
problem it is: eg. I wouldn't want to give logsave its own domain with 
carte-blanche append permissions to all log files.  On the other hand 
individual domains could be carved out based on each source domain in a 
type_transition rule.  This would effectively create a domain that 
init_t could transition to in order to write to the fsck log files.  I 
don't really like this idea since logsave is then what executes fsck so 
a transition from the new domain to the fsck domain would be required 
... this sounds like a slippery slope to me ...

I don't know much about the ordering dependencies here but it doesn't 
look like syslog is up  when these scripts are run (file systems may not 
even be mounted).  I'll take a look to see how this is done in Fedora 
later this week.  If anyone has thoughts on this I'd love to hear them.

For now I've replaced lines like:
logsave -s $FSCK_LOGFILE fsck $spinner -R -A $fix $force $FSCKTYPES_OPT
with:
fsck $spinner -R -A $fix $force $FSCKTYPES_OPT
letting the output go where it may (probably all over the console).

Cheers,
- Philip

More information about the SELinux-devel mailing list