Hello everybody, every night cron calls epylog and it launches links. links wants to create a temporary file links.tmp and write to ~/.links directory and to check bookmarks/history and other files. As epylog is run as root, admin_home is affected. If run from a cli, no alert is displayed. It is (probably) run from publishers.py at line 264:
exitcode = os.system('%s -dump %s > %s 2>/dev/null' % (self.lynx, htmlfile, plainfile)
As a2a recommends, it is easy to make a local policy file.
#============= logwatch_t ============== #!!!! The source type 'logwatch_t' can write to a 'dir' of the following types: # logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:dir { write remove_name add_name setattr }; #!!!! The source type 'logwatch_t' can write to a 'file' of the following types: # logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:file { rename write read create unlink open };
(and similar). This looks to me as too big unconfining. I think that relabeling of .elinks directory and its files are better solution. Maybe this is a job for transition which I am not still familiar with. But I am also surprised that this happen to nobody else, as most of the epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.
Thanks in advance,
On Thu, Sep 20, 2012 at 10:50 AM, Zdenek Pytela pytela@phil.muni.cz wrote:
Hello everybody,every night cron calls epylog and it launches links. links wants to create a temporary file links.tmp and write to ~/.links directory and to check bookmarks/history and other files. As epylog is run as root, admin_home is affected. If run from a cli, no alert is displayed. It is (probably) run from publishers.py at line 264:
exitcode = os.system('%s -dump %s > %s 2>/dev/null' % (self.lynx, htmlfile, plainfile)
Hi, Zdenek:
You can either dontaudit that, or set this in your epylog.conf:
lynx = /usr/bin/elinks -config-dir /var/lib/epylog/.elinks
Best,
Konstantin Ryabitsev pise:
On Thu, Sep 20, 2012 at 10:50 AM, Zdenek Pytela pytela@phil.muni.cz wrote:
Hello everybody,every night cron calls epylog and it launches links. links wants to create a temporary file links.tmp and write to ~/.links directory and to check bookmarks/history and other files. As epylog is run as root, admin_home is affected. If run from a cli, no alert is displayed. It is (probably) run from publishers.py at line 264:
exitcode = os.system('%s -dump %s > %s 2>/dev/null' % (self.lynx, htmlfile, plainfile)
Hi, Zdenek:
You can either dontaudit that, or set this in your epylog.conf:
lynx = /usr/bin/elinks -config-dir /var/lib/epylog/.elinks
Nice workaround. I have just find another one in the elinks man page: -no-home, it is much shorter ;-). Thanks,
On 09/20/2012 04:50 PM, Zdenek Pytela wrote:
Hello everybody, every night cron calls epylog and it launches links. links wants to create a temporary file links.tmp and write to ~/.links directory and to check bookmarks/history and other files. As epylog is run as root, admin_home is affected. If run from a cli, no alert is displayed. It is (probably) run from publishers.py at line 264:
exitcode = os.system('%s -dump %s > %s 2>/dev/null' % (self.lynx, htmlfile, plainfile)
As a2a recommends, it is easy to make a local policy file.
#============= logwatch_t ============== #!!!! The source type 'logwatch_t' can write to a 'dir' of the following types: # logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:dir { write remove_name add_name setattr }; #!!!! The source type 'logwatch_t' can write to a 'file' of the following types: # logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:file { rename write read create unlink open };
(and similar). This looks to me as too big unconfining. I think that relabeling of .elinks directory and its files are better solution. Maybe this is a job for transition which I am not still familiar with. But I am also surprised that this happen to nobody else, as most of the epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.
Thanks in advance,
What OS?
# rpm -q selinux-policy
Is this
~/.links
default location?
Miroslav Grepl pise:
On 09/20/2012 04:50 PM, Zdenek Pytela wrote:
Hello everybody, every night cron calls epylog and it launches links. links wants to create a temporary file links.tmp and write to ~/.links directory and to check bookmarks/history and other files. As epylog is run as root, admin_home is affected. If run from a cli, no alert is displayed. It is (probably) run from publishers.py at line 264:
exitcode = os.system('%s -dump %s > %s 2>/dev/null' % (self.lynx, htmlfile, plainfile)
As a2a recommends, it is easy to make a local policy file.
#============= logwatch_t ============== #!!!! The source type 'logwatch_t' can write to a 'dir' of the following types: # logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:dir { write remove_name add_name setattr }; #!!!! The source type 'logwatch_t' can write to a 'file' of the following types: # logwatch_lock_t, logwatch_var_run_t, logwatch_cache_t, logwatch_tmp_t
allow logwatch_t admin_home_t:file { rename write read create unlink open };
(and similar). This looks to me as too big unconfining. I think that relabeling of .elinks directory and its files are better solution. Maybe this is a job for transition which I am not still familiar with. But I am also surprised that this happen to nobody else, as most of the epylog.conf settings are default. All of my hosts have this bug-or-what-it-is.
Thanks in advance,
What OS?
f16, f17
# rpm -q selinux-policy
selinux-policy-3.10.0-91.fc16 selinux-policy-devel-3.10.0-146.fc17 latest at that time
Is this
~/.links
default location?
Yes it is: elinks(1) ... ELINKS_CONFDIR The location of the directory containing configuration files. If not set the default is ~/.elinks/. ... and other references in the FILES section. It can be changed or switched off.
selinux@lists.fedoraproject.org
-
Konstantin Ryabitsev -
Miroslav Grepl -
Zdenek Pytela