Chris PeBenito wrote: > On Sat, 2008-07-19 at 22:50 +0200, david@xxxxxxxxxxx wrote: >> plain text document attachment (policy_modules_admin_logrotate.patch) >> No controversial changes > > I merged the uncontroversial changes. The second one, however, is > controversial in my opinion. > >> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.0/policy/modules/admin/logrotate.te >> --- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-07-10 11:38:46.000000000 -0400 >> +++ serefpolicy-3.5.0/policy/modules/admin/logrotate.te 2008-07-15 14:05:12.000000000 -0400 >> @@ -71,6 +71,7 @@ >> >> fs_search_auto_mountpoints(logrotate_t) >> fs_getattr_xattr_fs(logrotate_t) >> +fs_list_inotifyfs(logrotate_t) >> >> mls_file_read_all_levels(logrotate_t) >> mls_file_write_all_levels(logrotate_t) >> @@ -96,9 +97,11 @@ >> files_read_etc_files(logrotate_t) >> files_read_etc_runtime_files(logrotate_t) >> files_read_all_pids(logrotate_t) >> +files_search_all(logrotate_t) Log rotate rotates files in arbitrary directories. So the ability to search all directories is required in order to not break on several installations. >> # Write to /var/spool/slrnpull - should be moved into its own type. >> files_manage_generic_spool(logrotate_t) >> files_manage_generic_spool_dirs(logrotate_t) >> +files_getattr_generic_locks(logrotate_t) logrotate rotates log files and then signals random domains that it has changed the log files. Usually doing a service DOMAIN reload or service DOMAIN restart. This is what is probably causing the avc. >> >> # cjp: why is this needed? >> init_domtrans_script(logrotate_t) > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
