avc denied from logrotate
Stephen Smalley
sds at epoch.ncsc.mil
Fri Mar 26 13:37:45 UTC 2004
On Fri, 2004-03-26 at 02:39, Richard Hally wrote:
> Here are the avc denied messages from doing a logrotate.
> I get an error message when I try to do the logrotate in enforcing mode. I
> changed to
> permissive mode, did the logrotate and the resulting messages are attached:
With regard to the /etc/init.d/cups condrestart line in
/etc/logrotate.d/cups, should logrotate.te include:
domain_auto_trans(logrotate_t, initrc_exec_t, initrc_t)
so that the init script runs in the proper domain, and any subsequent
daemon restarts are transitioned to the right domain? That would run
the init script in initrc_t rather than directly in logrotate_t, and
eliminate the need for the various domain_auto_trans(logrotate,
foo_exec_t, foo_t) rules that I see sprinkled about various daemon .te
files, since the usual transition from initrc_t would handle it.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list