selinux and logrotate

alex at alex at
Mon Jul 4 15:58:40 UTC 2005

I've asked once earlier about this, but was never able to fix it.  I have tried
so far versions 1.17.30-2.52.1 and 1.17.30-3.6 of targeted policy.

Basically, each night logrotate fails with following logged to

kernel: audit(1120381322.870:0): avc:  denied  { associate } for  pid=28612
exe=/usr/sbin/logrotate name=logrotate.OEFymP
scontext=system_u:object_r:var_log_t tcontext=system_u:object_r:tmpfs_t

My /tmp is tmpfs mounted filesystem (as might be guessed by the above output. 
Logrotate seems to save pre/post-rotate scripts into /tmp/logrotate.xxxxxx
files prior to executing them, so I guess the problem is that those get labeled
as tmpfs_t.

Most of pre/post-rotate scripts are just the standard ones (as installed by
distribution RPM packages).  On some systems I also have some custom post
rotate scripts that write some info into files in /var/log/mystuff directory
and execute logwatch filters on it for creating and mailing reports.  I'm
finding the same audit messages on both the systems with only the standard
logrotate configuration and on the system with additional custom postrotate
scripts.  However, I'm still curious if I need to allow anything additional for
my custom postrotate scripts?

Thanks for any and all help,
Aleksandar Milivojevic

This message was sent using IMP, the Internet Messaging Program.

More information about the fedora-selinux-list mailing list