AVCs seen for various processes trying to read their log file while writing to it

Issue

Some services produce unexpected AVCs when trying to write to their log file: a read AVC pops up unexpectedly, as shown in the examples below.

• ruby process executed by foreman.service unit tries to read its log

  $ sealert -l <someid>
  SELinux is preventing /usr/bin/ruby from read access on the file /var/log/foreman/<somefile>.log.
  [...]
  Additional Information:
  Source Context                system_u:system_r:foreman_rails_t:s0
  Target Context                unconfined_u:object_r:foreman_log_t:s0
  Target Objects                /var/log/foreman/<somefile>.log [ file ]
  Source                        diagnostic_con*
  Source Path                   /usr/bin/ruby
  [...]
  
  Raw Audit Messages
  type=AVC msg=audit(...): avc:  denied  { read } for  pid=... comm=/usr/bin/ruby path="/var/log/foreman/<somefile>.log" dev="..." ino=... scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:foreman_log_t:s0 tclass=file permissive=0
  

• chronyd process executes by chronyd.service unit tries to read its log while calling write syscall

  # ausearch -i -m avc -ts recent
  [...]
  type=PROCTITLE msg=audit(....) : proctitle=/usr/sbin/chronyd
  type=SYSCALL msg=audit(....) : arch=x86_64 syscall=write success=yes exit=548 a0=0x4 a1=0x5654489dee10 a2=0x224 a3=0xa ... auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
  type=AVC msg=audit(....) : avc:  denied  { read } for  pid=... comm=chronyd path=/var/log/chrony/measurements.log dev="..." ino=... scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:chronyd_var_log_t:s0 tclass=file permissive=0
  [...]