> -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] > Sent: 16 October 2012 16:21 > > On 10/16/2012 10:39 AM, Moray Henderson wrote: > > On CentOS 6 I'm trying to get logrotate to work on some web files. > At > > the moment they're httpd_sys_content_t and give > > > > Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512): > avc: > > denied { read write } for pid=1275 comm="logrotate" > name="dnsview.html" > > dev=dm-4 ino=263703 > > scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file > > > > I wanted to see what did have access to those files, so used > > > > # sesearch --allow -t httpd_sys_content_t | less > > > > I thought that would show me all the allow rules with a target of > > httpd_sys_content_t, but it seems to show other stuff as well, which > > confused me: > > > > allow logwatch_t file_type : filesystem getattr ; allow logwatch_t > > file_type : file getattr ; allow logwatch_t file_type : dir { getattr > > search open } ; allow logwatch_t file_type : lnk_file getattr ; > > > > and so on. Is that supposed to show up? Does it mean that logwatch > > can search all directories regardless of their context? > > > > Is there a context that would be appropriate for my files or will I > > need custom policy if I want to rotate them? > > > > > > Moray. "To err is human; to purr, feline." > > > > > You should be looking at logrotate_t not logwatch_t > > # sesearch -A -s logrotate_t -p write -c file | grep logfile > allow logrotate_t logfile : file { ioctl read write create getattr > setattr lock append unlink link rename execute execute_no_trans open } > ; > > > First off I would look at if this is actually necessary or just a leak. > Why would logrotate want to read/write dnsview.html? You might be best > off adding a dontaudit rule, although figuring out if this is a leak > and fixing the leak would be best. > > Logwatch is allowed to manipulate log files so it is probably best to > have these be log files. > > httpd_log_t maybe? If this is actually necessary. > > Logtotate and logwatch are able to search any directory yes. But > remember search is different then list. I need to search through all > directories in a path, but if I want to see the contents of a directory > I need the list priv. Thanks Daniel. It's not a leak - we have a script which drops summarised log information into a file where it can be read from a browser. We rotate it like a normal log file. I'll investigate httpd_log_t now that I understand a bit more about how to use types. Moray. “To err is human; to purr, feline.” -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
