On Fri, 2004-03-26 at 02:39, Richard Hally wrote: > Here are the avc denied messages from doing a logrotate. > I get an error message when I try to do the logrotate in enforcing mode. I > changed to > permissive mode, did the logrotate and the resulting messages are attached: With regard to the innd_log_t denial, is this file written by both syslogd and innd? If it is only written by syslogd, then it shouldn't be labeled innd_log_t. If it can be written by either daemon depending on configuration, then perhaps syslogd.te should include 'create_append_log_file(syslogd_t, logfile)'. Looks like logrotate needs can_exec(logrotate_t, logfile), although I find that disturbing. Possibly need another domain with less permissions that it can transition to when executing these temporary files. Can you enable syscall auditing (boot with audit=1) and re-run logrotate, so that we can see the actual pathname parameters for some of these calls? The slrnpull_spool_t ones look odd, as I wouldn't expect that type on log files, and slrnpull does have its own log type. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
