On Tue, 2009-12-15 at 09:39 -0500, Daniel J Walsh wrote:
On 12/14/2009 05:01 AM, Arthur Dent wrote:
> On Mon, 2009-12-07 at 22:30 +0000, Arthur Dent wrote:
>> On Mon, 2009-12-07 at 16:24 -0500, Daniel J Walsh wrote:
>>> On 12/06/2009 04:38 AM, Arthur Dent wrote:
[Snip]
>>> I can allow logrotate to manage log lnk_files, and allow
it to write to the fail2ban socket.
>>>
>>> Are you using a custom logrotate to rotate mail_spool?
[Snip]
>
> OK - Following another arm of this thread I have (last week) done a
> complete relabel and removed my existing fail2ban and logrotate local
> policies.
>
> As a result of yesterday's weekly log rotate squid threw up another
> couple of AVCs related to log_lnk (see below).
>
> I have created another local policy but, do I understand you correctly
> Daniel that you may include log_lnk in a future targeted policy?
>
> Here is my new logrotate policy:
>
> ===============8<==================================================
>
> module mylogr 11.2.2;
>
> require {
> type mail_spool_t;
> type logrotate_t;
> type squid_log_t;
> class file getattr;
> class lnk_file { rename unlink };
> }
>
> #============= logrotate_t ==============
> allow logrotate_t mail_spool_t:file getattr;
> allow logrotate_t squid_log_t:lnk_file { rename unlink };
>
> ===============8<==================================================
>
> Is this OK?
[Snip]
Yes the squid access will not be needed.
Fixed in selinux-policy-3.6.32-59.fc12.noarch
logrotate looking at /mnt/backup/mail/rawmail
Looks like a local customization.
Thanks Daniel,
OK - I am running F11:
# rpm -qa | grep -i selinux-policy
selinux-policy-targeted-3.6.12-91.fc11.noarch
selinux-policy-3.6.12-91.fc11.noarch
Will there be a F11 version? (If so what version will it be in?)
In the meantime I should keep using my local policy I guess?...
Thanks again
Mark