On Fri, 2004-03-26 at 02:39, Richard Hally wrote: > Here are the avc denied messages from doing a logrotate. > I get an error message when I try to do the logrotate in enforcing mode. I > changed to > permissive mode, did the logrotate and the resulting messages are attached: With regard to the /etc/init.d/cups condrestart line in /etc/logrotate.d/cups, should logrotate.te include: domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t) so that the init script runs in the proper domain, and any subsequent daemon restarts are transitioned to the right domain? That would run the init script in initrc_t rather than directly in logrotate_t, and eliminate the need for the various domain_auto_trans(logrotate, foo_exec_t, foo_t) rules that I see sprinkled about various daemon .te files, since the usual transition from initrc_t would handle it. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
