Hi,
in RHEL6 policy awstats module has been added and it works rather well except it is not suited for calling awstat from log rotate script.
It's a general practice to include awstats call before rotating logs, since awstats usually an hourly job, so there can be log entries between top of the hours and when log rotate job kicks in:
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
delaycompress
prerotate
/etc/cron.hourly/awstats > /dev/null 2>/dev/null || true
endscript
postrotate
/sbin/service httpd graceful > /dev/null 2>/dev/null || true
endscript
}
I thought adding domain transition would help it, but I guess I did it wrong:
domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)
/etc/cron.hourly/awstats is bin_t, so I assume domain won't change from logrotate_t
I still get an AVC though:
type=AVC msg=audit(1316320942.646:21684): avc: denied { sigchld } for pid=30083 comm="awstats" scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process
and I am not sure should I allow this or not.
Thanks,
Vadym
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
