Re: Logrotate frustration

["Justin P. Mattock" <justinmattock@xxxxxxxxx>]

On 12/06/09 01:38, Arthur Dent wrote:
> Hello all,
>
> Its seems that almost every week logrotate is throwing up a new AVC. I
> have an almost vanilla F11 install with most packages installed via yum
> and yet I keep getting these. Each time I audit2allow and build a new
> policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
> there something else I'm lacking?
>
> Here is the latest version of my policy:
>
>
> ===============8<==================================================
>
> module mylogr 11.1.7;
>
> require {
> 	type mail_spool_t;
> 	type logrotate_t;
> 	type fail2ban_var_run_t;
> 	type initrc_t;
> 	type squid_log_t;
> 	class dir {read open write remove_name};
> 	class file { getattr read write open};
> 	class file setattr;
> 	class sock_file write;
>          class unix_stream_socket connectto;
> 	class lnk_file rename;
> }
>
> #============= logrotate_t ==============
> allow logrotate_t mail_spool_t:file { getattr read write open };
> allow logrotate_t mail_spool_t:dir { read open write remove_name};
> allow logrotate_t mail_spool_t:file setattr;
> allow logrotate_t fail2ban_var_run_t:sock_file write;
> allow logrotate_t initrc_t:unix_stream_socket connectto;
> allow logrotate_t squid_log_t:lnk_file rename;
>
> ===============8<==================================================
>
>
> This was today's AVC that necessitated the inclusion of the squid stuff:
>
> ===============8<==================================================
> Raw Audit Messages :
>
> node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file
> node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> ===============8<==================================================
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

I dont use logrotate over here(not sure of the label),
but looking at the avc's you supplied
seems it's a label issue.
(but correct me if I'm wrong);

Justin P. Mattock

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list