On Tue, 2007-12-11 at 15:52 +0100, Václav Ovsík wrote:
> there is another change for the refpolicy, so the Debian system can run
> /etc/cron.daily/sysklogd successfully. This is rotation for logs parsed
> from syslog.conf config file. Script /usr/sbin/syslogd-listfiles lists
> logs, that needs rotation. Logs are rotated using script
> /usr/bin/savelog then.
>
> Without attached patch domain logrotate_t is not allowed to read
> syslog_conf_t and following denials are generated:
>
> audit(1197384508.149:3): avc: denied { read } for pid=1589 comm="syslogd-listfil" name="syslog.conf" dev=sda1 ino=213265 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
> audit(1197384508.149:4): avc: denied { ioctl } for pid=1589 comm="syslogd-listfil" name="syslog.conf" dev=sda1 ino=213265 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
> audit(1197384508.149:5): avc: denied { getattr } for pid=1589 comm="syslogd-listfil" name="syslog.conf" dev=sda1 ino=213265 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
Merged. I renamed the interface and moved the te file change lower to
the preexisting distro_debian block.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
