On Tue, 2009-12-15 at 09:39 -0500, Daniel J Walsh wrote:
> On 12/14/2009 05:01 AM, Arthur Dent wrote:
> > On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
> >> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
> >>> On 12/06/2009 04:38 AM, Arthur Dent wrote:
[Snip]
> >>> I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
> >>>
> >>> Are you using a custom logrotate to rotate mail_spool?
[Snip]
> >
> > OK - Following another arm of this thread I have (last week) done a
> > complete relabel and removed my existing fail2ban and logrotate local
> > policies.
> >
> > As a result of yesterday's weekly log rotate squid threw up another
> > couple of AVCs related to log_lnk (see below).
> >
> > I have created another local policy but, do I understand you correctly
> > Daniel that you may include log_lnk in a future targeted policy?
> >
> > Here is my new logrotate policy:
> >
> > ===============8<==================================================
> >
> > module mylogr 11.2.2;
> >
> > require {
> > type mail_spool_t;
> > type logrotate_t;
> > type squid_log_t;
> > class file getattr;
> > class lnk_file { rename unlink };
> > }
> >
> > #============= logrotate_t ==============
> > allow logrotate_t mail_spool_t:file getattr;
> > allow logrotate_t squid_log_t:lnk_file { rename unlink };
> >
> > ===============8<==================================================
> >
> > Is this OK?
[Snip]
>
> Yes the squid access will not be needed.
>
> Fixed in selinux-policy-3.6.32-59.fc12.noarch
>
> logrotate looking at /mnt/backup/mail/rawmail
> Looks like a local customization.
Thanks Daniel,
OK - I am running F11:
# rpm -qa | grep -i selinux-policy
selinux-policy-targeted-3.6.12-91.fc11.noarch
selinux-policy-3.6.12-91.fc11.noarch
Will there be a F11 version? (If so what version will it be in?)
In the meantime I should keep using my local policy I guess?...
Thanks again
Mark
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
