Logrotate frustration

Daniel J Walsh dwalsh at redhat.com
Mon Dec 21 19:21:07 UTC 2009 

On 12/15/2009 11:26 AM, Arthur Dent wrote:
> On Tue, 2009-12-15 at 09:39 -0500, Daniel J Walsh wrote:
>> On 12/14/2009 05:01 AM, Arthur Dent wrote:
>>> On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
>>>> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
>>>>> On 12/06/2009 04:38 AM, Arthur Dent wrote:
> 
> [Snip]
> 
>>>>> I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
>>>>>
>>>>> Are you using a custom logrotate to rotate mail_spool?
> 
> [Snip]
> 
>>>
>>> OK - Following another arm of this thread I have (last week) done a
>>> complete relabel and removed my existing fail2ban and logrotate local
>>> policies.
>>>
>>> As a result of yesterday's weekly log rotate squid threw up another
>>> couple of AVCs related to log_lnk (see below).
>>>
>>> I have created another local policy but, do I understand you correctly
>>> Daniel that you may include log_lnk in a future targeted policy?
>>>
>>> Here is my new logrotate policy:
>>>
>>> ===============8<==================================================
>>>
>>> module mylogr 11.2.2;
>>>
>>> require {
>>>         type mail_spool_t;
>>>         type logrotate_t;
>>> 	type squid_log_t;
>>>         class file getattr;
>>> 	class lnk_file { rename unlink };
>>> }
>>>
>>> #============= logrotate_t ==============
>>> allow logrotate_t mail_spool_t:file getattr;
>>> allow logrotate_t squid_log_t:lnk_file { rename unlink };
>>>
>>> ===============8<==================================================
>>>
>>> Is this OK?
> 
> [Snip]
> 
>>
>> Yes the squid access will not be needed.
>>
>> Fixed in selinux-policy-3.6.32-59.fc12.noarch
>>
>> logrotate looking at /mnt/backup/mail/rawmail
>> Looks like a local customization.
> 
> Thanks Daniel,
> 
> OK - I am running F11:
> # rpm -qa | grep -i selinux-policy
> selinux-policy-targeted-3.6.12-91.fc11.noarch
> selinux-policy-3.6.12-91.fc11.noarch
> 
> Will there be a F11 version? (If so what version will it be in?)
> 
> In the meantime I should keep using my local policy I guess?...
> 
> Thanks again
> 
> Mark
> 
> 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Miroslav, 

Could you add this patch to F11?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logrotate.diff
Type: text/x-patch
Size: 2382 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091221/6f07850b/attachment.bin>

More information about the fedora-selinux-list mailing list