On October 25, 2012 09:28:21 Daniel J Walsh wrote: > > # semodule -l|grep awstat awstats 1.2.0 > > > > It works quite well for me, I had to add one rule : > > > > domtrans_pattern(logrotate_t, awstats_exec_t, awstats_t) > > > > because I want logrotate to call awstat before it rotates apache log > > files. > > > > Regards, Vadym > > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > Current policy has F17/F18/RHEL7 Beta has > > awstats_domtrans(logrotate_t) > > We will back port to RHEL6. since we're on the subject of awstats... AWstats has an option of "purging" log files which breaks (and probably rightly so) with default setup. I had to pop module awstats-httpd-logs 1.1; require { type httpd_log_t; type awstats_t; class file write; } #============= awstats_t ============== allow awstats_t httpd_log_t:file write; module into the setup. However given that we're dealing with "Standard function" of AWStats it would be nice to wrap it in conditional and throw in base policy. Which really raises a question: should base policies (and modules) cover all aspects of "normal"/"legitimate" functionality of applications "out-of-the- box" or shall we expect it to cover only a subset? Is it SELinux's group role to suggest "insecure" practices that will not be covered by policies and probably should be discouraged irregardless of SELinux state (on or off)? -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330 -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
