Re: Logrotate frustration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/15/2009 11:26 AM, Arthur Dent wrote:
> On Tue, 2009-12-15 at 09:39 -0500, Daniel J Walsh wrote:
>> On 12/14/2009 05:01 AM, Arthur Dent wrote:
>>> On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
>>>> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
>>>>> On 12/06/2009 04:38 AM, Arthur Dent wrote:
> 
> [Snip]
> 
>>>>> I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
>>>>>
>>>>> Are you using a custom logrotate to rotate mail_spool?
> 
> [Snip]
> 
>>>
>>> OK - Following another arm of this thread I have (last week) done a
>>> complete relabel and removed my existing fail2ban and logrotate local
>>> policies.
>>>
>>> As a result of yesterday's weekly log rotate squid threw up another
>>> couple of AVCs related to log_lnk (see below).
>>>
>>> I have created another local policy but, do I understand you correctly
>>> Daniel that you may include log_lnk in a future targeted policy?
>>>
>>> Here is my new logrotate policy:
>>>
>>> ===============8<==================================================
>>>
>>> module mylogr 11.2.2;
>>>
>>> require {
>>>         type mail_spool_t;
>>>         type logrotate_t;
>>> 	type squid_log_t;
>>>         class file getattr;
>>> 	class lnk_file { rename unlink };
>>> }
>>>
>>> #============= logrotate_t ==============
>>> allow logrotate_t mail_spool_t:file getattr;
>>> allow logrotate_t squid_log_t:lnk_file { rename unlink };
>>>
>>> ===============8<==================================================
>>>
>>> Is this OK?
> 
> [Snip]
> 
>>
>> Yes the squid access will not be needed.
>>
>> Fixed in selinux-policy-3.6.32-59.fc12.noarch
>>
>> logrotate looking at /mnt/backup/mail/rawmail
>> Looks like a local customization.
> 
> Thanks Daniel,
> 
> OK - I am running F11:
> # rpm -qa | grep -i selinux-policy
> selinux-policy-targeted-3.6.12-91.fc11.noarch
> selinux-policy-3.6.12-91.fc11.noarch
> 
> Will there be a F11 version? (If so what version will it be in?)
> 
> In the meantime I should keep using my local policy I guess?...
> 
> Thanks again
> 
> Mark
> 
> 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Miroslav, 

Could you add this patch to F11?

diff -up serefpolicy-3.6.12/policy/modules/admin/logrotate.te~ serefpolicy-3.6.12/policy/modules/admin/logrotate.te
--- serefpolicy-3.6.12/policy/modules/admin/logrotate.te~	2009-12-21 14:09:24.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/admin/logrotate.te	2009-12-21 14:18:37.000000000 -0500
@@ -63,6 +63,7 @@ files_tmp_filetrans(logrotate_t, logrota
 create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
 manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+files_read_var_lib_files(logrotate_t)
 
 kernel_read_system_state(logrotate_t)
 kernel_read_kernel_sysctls(logrotate_t)
@@ -150,6 +151,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	asterisk_exec(logrotate_t)
+	asterisk_stream_connect(logrotate_t)
+')
+
+optional_policy(`
 	bind_manage_cache(logrotate_t)
 ')
 
@@ -162,6 +168,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fail2ban_stream_connect(logrotate_t)
+')
+
+optional_policy(`
 	hostname_exec(logrotate_t)
 ')
 
diff -up serefpolicy-3.6.12/policy/modules/services/asterisk.if~ serefpolicy-3.6.12/policy/modules/services/asterisk.if
--- serefpolicy-3.6.12/policy/modules/services/asterisk.if~	2009-04-07 15:54:47.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/asterisk.if	2009-12-21 14:11:07.000000000 -0500
@@ -1,5 +1,43 @@
 ## <summary>Asterisk IP telephony server</summary>
 
+#####################################
+## <summary>
+##      Connect to asterisk over a unix domain
+##      stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`asterisk_stream_connect',`
+        gen_require(`
+                type asterisk_t, asterisk_var_run_t;
+        ')
+
+        files_search_pids($1)
+        stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
+')
+
+######################################
+## <summary>
+##	Execute asterisk 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`asterisk_exec',`
+	gen_require(`
+		type asterisk_exec_t;
+	')
+
+	can_exec($1, asterisk_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux