On 12/06/2009 04:38 AM, Arthur Dent wrote: > Hello all, > > Its seems that almost every week logrotate is throwing up a new AVC. I > have an almost vanilla F11 install with most packages installed via yum > and yet I keep getting these. Each time I audit2allow and build a new > policy. My "mylogr.te" is now at version 7. Am I missing a bool or is > there something else I'm lacking? > > Here is the latest version of my policy: > > > ===============8<================================================== > > module mylogr 11.1.7; > > require { > type mail_spool_t; > type logrotate_t; > type fail2ban_var_run_t; > type initrc_t; > type squid_log_t; > class dir {read open write remove_name}; > class file { getattr read write open}; > class file setattr; > class sock_file write; > class unix_stream_socket connectto; > class lnk_file rename; > } > > #============= logrotate_t ============== > allow logrotate_t mail_spool_t:file { getattr read write open }; > allow logrotate_t mail_spool_t:dir { read open write remove_name}; > allow logrotate_t mail_spool_t:file setattr; > allow logrotate_t fail2ban_var_run_t:sock_file write; > allow logrotate_t initrc_t:unix_stream_socket connectto; > allow logrotate_t squid_log_t:lnk_file rename; > > ===============8<================================================== > > > This was today's AVC that necessitated the inclusion of the squid stuff: > > ===============8<================================================== > Raw Audit Messages : > > node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file > node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) > ===============8<================================================== > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket. Are you using a custom logrotate to rotate mail_spool? Why is -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list