[DSE-Dev] refpolicy HEAD, patch for Debian logs of syslog rotation

Václav Ovsík vaclav.ovsik at i.cz
Tue Dec 11 14:52:08 UTC 2007


Hi,
there is another change for the refpolicy, so the Debian system can run
/etc/cron.daily/sysklogd successfully. This is rotation for logs parsed
from syslog.conf config file. Script /usr/sbin/syslogd-listfiles lists
logs, that needs rotation. Logs are rotated using script
/usr/bin/savelog then.

Without attached patch domain logrotate_t is not allowed to read
syslog_conf_t and following denials are generated:

audit(1197384508.149:3): avc:  denied  { read } for  pid=1589 comm="syslogd-listfil" name="syslog.conf" dev=sda1 ino=213265 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
audit(1197384508.149:4): avc:  denied  { ioctl } for  pid=1589 comm="syslogd-listfil" name="syslog.conf" dev=sda1 ino=213265 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
audit(1197384508.149:5): avc:  denied  { getattr } for  pid=1589 comm="syslogd-listfil" name="syslog.conf" dev=sda1 ino=213265 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file

Can be changes applied?
Thanks
-- 
Zito
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-debian-syslog.patch
Type: text/x-diff
Size: 1198 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20071211/3176e078/attachment.patch 


More information about the SELinux-devel mailing list