Logrotate frustration
Daniel J Walsh
dwalsh at redhat.com
Mon Dec 21 19:21:07 UTC 2009
On 12/15/2009 11:26 AM, Arthur Dent wrote:
> On Tue, 2009-12-15 at 09:39 -0500, Daniel J Walsh wrote:
>> On 12/14/2009 05:01 AM, Arthur Dent wrote:
>>> On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
>>>> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
>>>>> On 12/06/2009 04:38 AM, Arthur Dent wrote:
>
> [Snip]
>
>>>>> I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
>>>>>
>>>>> Are you using a custom logrotate to rotate mail_spool?
>
> [Snip]
>
>>>
>>> OK - Following another arm of this thread I have (last week) done a
>>> complete relabel and removed my existing fail2ban and logrotate local
>>> policies.
>>>
>>> As a result of yesterday's weekly log rotate squid threw up another
>>> couple of AVCs related to log_lnk (see below).
>>>
>>> I have created another local policy but, do I understand you correctly
>>> Daniel that you may include log_lnk in a future targeted policy?
>>>
>>> Here is my new logrotate policy:
>>>
>>> ===============8<==================================================
>>>
>>> module mylogr 11.2.2;
>>>
>>> require {
>>> type mail_spool_t;
>>> type logrotate_t;
>>> type squid_log_t;
>>> class file getattr;
>>> class lnk_file { rename unlink };
>>> }
>>>
>>> #============= logrotate_t ==============
>>> allow logrotate_t mail_spool_t:file getattr;
>>> allow logrotate_t squid_log_t:lnk_file { rename unlink };
>>>
>>> ===============8<==================================================
>>>
>>> Is this OK?
>
> [Snip]
>
>>
>> Yes the squid access will not be needed.
>>
>> Fixed in selinux-policy-3.6.32-59.fc12.noarch
>>
>> logrotate looking at /mnt/backup/mail/rawmail
>> Looks like a local customization.
>
> Thanks Daniel,
>
> OK - I am running F11:
> # rpm -qa | grep -i selinux-policy
> selinux-policy-targeted-3.6.12-91.fc11.noarch
> selinux-policy-3.6.12-91.fc11.noarch
>
> Will there be a F11 version? (If so what version will it be in?)
>
> In the meantime I should keep using my local policy I guess?...
>
> Thanks again
>
> Mark
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Miroslav,
Could you add this patch to F11?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logrotate.diff
Type: text/x-patch
Size: 2382 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091221/6f07850b/attachment.bin>
More information about the fedora-selinux-list
mailing list