Logrotate frustration

Arthur Dent misc.lists at blueyonder.co.uk
Tue Dec 15 16:26:18 UTC 2009 

On Tue, 2009-12-15 at 09:39 -0500, Daniel J Walsh wrote:
> On 12/14/2009 05:01 AM, Arthur Dent wrote:
> > On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
> >> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
> >>> On 12/06/2009 04:38 AM, Arthur Dent wrote:

[Snip]

> >>> I can allow logrotate to manage log lnk_files, and allow it to write to the fail2ban socket.
> >>>
> >>> Are you using a custom logrotate to rotate mail_spool?

[Snip]

> > 
> > OK - Following another arm of this thread I have (last week) done a
> > complete relabel and removed my existing fail2ban and logrotate local
> > policies.
> > 
> > As a result of yesterday's weekly log rotate squid threw up another
> > couple of AVCs related to log_lnk (see below).
> > 
> > I have created another local policy but, do I understand you correctly
> > Daniel that you may include log_lnk in a future targeted policy?
> > 
> > Here is my new logrotate policy:
> > 
> > ===============8<==================================================
> > 
> > module mylogr 11.2.2;
> > 
> > require {
> >         type mail_spool_t;
> >         type logrotate_t;
> > 	type squid_log_t;
> >         class file getattr;
> > 	class lnk_file { rename unlink };
> > }
> > 
> > #============= logrotate_t ==============
> > allow logrotate_t mail_spool_t:file getattr;
> > allow logrotate_t squid_log_t:lnk_file { rename unlink };
> > 
> > ===============8<==================================================
> > 
> > Is this OK?

[Snip]

> 
> Yes the squid access will not be needed.
> 
> Fixed in selinux-policy-3.6.32-59.fc12.noarch
> 
> logrotate looking at /mnt/backup/mail/rawmail
> Looks like a local customization.

Thanks Daniel,

OK - I am running F11:
# rpm -qa | grep -i selinux-policy
selinux-policy-targeted-3.6.12-91.fc11.noarch
selinux-policy-3.6.12-91.fc11.noarch

Will there be a F11 version? (If so what version will it be in?)

In the meantime I should keep using my local policy I guess?...

Thanks again

Mark


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091215/8a737a79/attachment.sig>

More information about the fedora-selinux-list mailing list