On Tue, 2012-10-16 at 15:39 +0100, Moray Henderson wrote: > On CentOS 6 I'm trying to get logrotate to work on some web files. At the > moment they're httpd_sys_content_t and give > > Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512): avc: > denied { read write } for pid=1275 comm="logrotate" name="dnsview.html" > dev=dm-4 ino=263703 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file > > I wanted to see what did have access to those files, so used > > # sesearch --allow -t httpd_sys_content_t | less > > I thought that would show me all the allow rules with a target of > httpd_sys_content_t, but it seems to show other stuff as well, which > confused me: > > allow logwatch_t file_type : filesystem getattr ; > allow logwatch_t file_type : file getattr ; > allow logwatch_t file_type : dir { getattr search open } ; > allow logwatch_t file_type : lnk_file getattr ; > > and so on. Is that supposed to show up? Does it mean that logwatch can > search all directories regardless of their context? httpd_sys_content_t is classified a file_type thus sesearch returning these make sense when you run: sesearch --allow -t httpd_sys_content_t | less you query the policy.db for all allow rules where httpd_sys_content_t is a target direct or indirect. > Is there a context that would be appropriate for my files or will I need > custom policy if I want to rotate them? > logrotate is for rotating logfiles. types for log files are classified "logfile" So either classify your type logfile or use a existing type that is classified logfile list all types that are classified logfile seinfo -xalogfile list all the classification of the httpd_sys_content_type seinfo -xthttpd_sys_content_t list all classifications seinfo -a list all types seinfo -t query policy data base for logrotate_t access allowed to logfile targets sesearch --ASCT -s logrotate_t -t logfile etc etc When you understand the concept of classifying things with type and role attributes and learn how to use semanage, seinfo and sesearch to query the policy.db then you can find solutions to any selinux policy problem. I look at attributes as being able to append metadata to a type It basically tells you or allow you to specify the property of a type by default a type is just a type to make a type for example a type for files you assign the existing file_type type attribute to the type. now it is classified a file type Then you can write rules that apply to groups of types so for example in stead of allowing "myapp_t" to write a files with a single file type of "myfile_t" you can allow it to write all types that are types of files (classified file_type) allow myapp_t myfile_t:file write; versus allow myapp_t file_type:file write; There are many classifications (type attributes) and you can create your own and assign them to types > > Moray. > "To err is human; to purr, feline." > > > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux