Hi Jason,
On 12/11/2015 08:51 PM, jason wrote:
Hi All,
I am attempting to use logrotate to rotate a log file with the
unlabeled_t context, as it turns out SELinux is not happy about this
and denies logrotate access to the log file.
logrotate should run under logrotate_t SELinux context. I would
recommend you to fix all security context on your system using:
# restorecon -R -v /
After this, logrotate should run under logrotate_t SELinux content.
What's the preferred method here to allow access? I used audit2allow
and installed the .pp but but was reading some docs[0] and wanted to
double check my solution.
The points in the docs were that I wanted to check on were "Missing TE
rules are usually caused by bugs in SELinux policy and should be
reports.." Should I report my particular instance as a bug?
Could you attach AVC msgs using:
# ausearch -m AVC
We can analyze this msgs and figure out if it some bug in SELinux policy
or create some local SELinux module for you.
"Modules created with audit2allow may allow more access than required.
True, you should always properly read AVC msg and allow just what is
mentioned in AVC msg. Tool
audit2allow can use too generic rule as fix and this is wrong habit for
writing policies.
It is recommended that policy created with audit2allow be posted to the
upstream SELinux list for review."
You can attach your local policy also here for checking. :)
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Li
nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-
Enhanced_Linux-Troubleshooting-Fixing_Problems.html
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Regards,
Lukas.
--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
