On Wed, 28 May 2008 15:00:21 -0400
Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> Paul Howarth wrote:
> > Being an old-fashioned sort of guy, I always create a separate
> > partition (well, logical volume these days) for /tmp and various
> > other top-level directories. Hence I have a
> > directory /tmp/lost+found and every day I get an email from cron
> > like this:
> >
> > Subject: Cron <root@goalkeeper> run-parts /etc/cron.daily
> > Date: Tue, 27 May 2008 04:17:12 +0100
> >
> > /etc/cron.daily/tmpwatch:
> >
> > error: failed to lstat /tmp/lost+found: Permission denied
> >
> > The following policy fixes this:
> >
> > policy_module(localmisc, 0.0.1)
> >
> > require {
> > type tmpreaper_t;
> > }
> >
> > # Allow tmpwatch to stat /tmp/lost+found
> > files_getattr_lost_found_dirs(tmpreaper_t)
> >
> > Paul.
> That is funny because the policy has
>
> files_dontaudit_getattr_lost_found_dirs(tmpreaper_t)
>
> So in order to get rid of the error, we need to allow it, which seems
> reasonable.
Yes, the dontaudit made it that much harder to figure out what was
going on but "semodule -BD" came to the rescue there.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
