avc denied from logrotate
Stephen Smalley
sds at epoch.ncsc.mil
Fri Mar 26 13:50:10 UTC 2004
On Fri, 2004-03-26 at 02:39, Richard Hally wrote:
> Here are the avc denied messages from doing a logrotate.
> I get an error message when I try to do the logrotate in enforcing mode. I
> changed to
> permissive mode, did the logrotate and the resulting messages are attached:
With regard to the innd_log_t denial, is this file written by both
syslogd and innd? If it is only written by syslogd, then it shouldn't
be labeled innd_log_t. If it can be written by either daemon depending
on configuration, then perhaps syslogd.te should include
'create_append_log_file(syslogd_t, logfile)'.
Looks like logrotate needs can_exec(logrotate_t, logfile), although I
find that disturbing. Possibly need another domain with less
permissions that it can transition to when executing these temporary
files.
Can you enable syscall auditing (boot with audit=1) and re-run
logrotate, so that we can see the actual pathname parameters for some of
these calls? The slrnpull_spool_t ones look odd, as I wouldn't expect
that type on log files, and slrnpull does have its own log type.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list