dac_read_search denials with sssd logs on RHEL 8

[donateur]

I resolved a PEBKAC in #11 and now have this policy working for Splunkforwarders in RHEL 8!

It seems to be functioning fully despite having dac_read_search denials like these:

type=PROCTITLE msg=audit(17/03/22 16:36:49.862:4019) : proctitle=splunkd --under-systemd -p 8089 _internal_launch_under_systemd 
type=PATH msg=audit(17/03/22 16:36:49.862:4019) : item=0 name=/var/log/sssd/sssd_implicit_files.log inode=16863845 dev=08:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(17/03/22 16:36:49.862:4019) : cwd=/ 
type=SYSCALL msg=audit(17/03/22 16:36:49.862:4019) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x7f436f24c840 a1=0x7f43691fa150 a2=0x7f43691fa150 a3=0x2e44d8 items=1 ppid=1 pid=8843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=splunkd exe=/opt/splunkforwarder/bin/splunkd subj=system_u:system_r:splunk_t:s0 key=(null) 
type=AVC msg=audit(17/03/22 16:36:49.862:4019) : avc:  denied  { dac_read_search } for  pid=8843 comm=splunkd capability=dac_read_search  scontext=system_u:system_r:splunk_t:s0 tcontext=system_u:system_r:splunk_t:s0 tclass=capability permissive=0 

and

type=PROCTITLE msg=audit(17/03/22 16:52:44.647:4941) : proctitle=splunkd --under-systemd -p 8089 _internal_launch_under_systemd 
type=PATH msg=audit(17/03/22 16:52:44.647:4941) : item=0 name=/var/log/sssd/sssd.log inode=16863838 dev=08:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(17/03/22 16:52:44.647:4941) : cwd=/ 
type=SYSCALL msg=audit(17/03/22 16:52:44.647:4941) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x7fdba9c98100 a1=0x7fdba37fa150 a2=0x7fdba37fa150 a3=0x41f27a items=1 ppid=1 pid=20469 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=splunkd exe=/opt/splunkforwarder/bin/splunkd subj=system_u:system_r:splunk_t:s0 key=(null) 
type=AVC msg=audit(17/03/22 16:52:44.647:4941) : avc:  denied  { dac_read_search } for  pid=20469 comm=splunkd capability=dac_read_search  scontext=system_u:system_r:splunk_t:s0 tcontext=system_u:system_r:splunk_t:s0 tclass=capability permissive=0 

I can confirm that events from the sssd log files are being logged. Is this something I should ignore?

Thanks again!

[donateur]

For reference:

# ls -laZ /var/log/sssd/
total 2508
drwxr-x---.  2 sssd sssd system_u:object_r:sssd_var_log_t:s0      73 Jan 18 05:11 .
drwxr-xr-x. 13 root root system_u:object_r:var_log_t:s0         4096 Mar 17 12:44 ..
-rw-------.  1 root root system_u:object_r:sssd_var_log_t:s0  104258 Mar 17 16:52 sssd_implicit_files.log
-rw-------.  1 root root system_u:object_r:sssd_var_log_t:s0   83310 Mar 17 16:52 sssd.log
-rw-------.  1 root root system_u:object_r:sssd_var_log_t:s0 2370525 Mar 17 16:52 sssd_nss.log