Re: Logrotate frustration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/06/2009 04:38 AM, Arthur Dent wrote:
> Hello all,
> 
> Its seems that almost every week logrotate is throwing up a new AVC. I
> have an almost vanilla F11 install with most packages installed via yum
> and yet I keep getting these. Each time I audit2allow and build a new
> policy. My "mylogr.te" is now at version 7. Am I missing a bool or is
> there something else I'm lacking?
> 
> Here is the latest version of my policy:
> 
> 
> ===============8<==================================================
> 
> module mylogr 11.1.7;
> 
> require {
> 	type mail_spool_t;
> 	type logrotate_t;
> 	type fail2ban_var_run_t;
> 	type initrc_t;
> 	type squid_log_t;
> 	class dir {read open write remove_name};
> 	class file { getattr read write open};
> 	class file setattr;
> 	class sock_file write;
>         class unix_stream_socket connectto;
> 	class lnk_file rename;
> }
> 
> #============= logrotate_t ==============
> allow logrotate_t mail_spool_t:file { getattr read write open };
> allow logrotate_t mail_spool_t:dir { read open write remove_name};
> allow logrotate_t mail_spool_t:file setattr;
> allow logrotate_t fail2ban_var_run_t:sock_file write;
> allow logrotate_t initrc_t:unix_stream_socket connectto;
> allow logrotate_t squid_log_t:lnk_file rename;
> 
> ===============8<==================================================
> 
> 
> This was today's AVC that necessitated the inclusion of the squid stuff:
> 
> ===============8<==================================================
> Raw Audit Messages :
> 
> node=mydomain.org.uk type=AVC msg=audit(1260069452.494:45041): avc: denied { rename } for pid=12302 comm="logrotate" name="squidGuard.log" dev=sda5 ino=387195 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:squid_log_t:s0 tclass=lnk_file 
> node=mydomain.org.uk type=SYSCALL msg=audit(1260069452.494:45041): arch=40000003 syscall=38 success=no exit=-13 a0=890b130 a1=8908760 a2=890b060 a3=0 items=0 ppid=12300 pid=12302 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2275 comm="logrotate" exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
> ===============8<==================================================
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.

Are you using a custom logrotate to rotate mail_spool?

Why is 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux