On Fri, 2011-09-23 at 08:09 -0400, Vadym Chepkov wrote:
Hi,
in RHEL6 policy awstats module has been added and it works rather well except it is not
suited for calling awstat from log rotate script.
It's a general practice to include awstats call before rotating logs, since awstats
usually an hourly job, so there can be log entries between top of the hours and when log
rotate job kicks in:
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
delaycompress
prerotate
/etc/cron.hourly/awstats > /dev/null 2>/dev/null || true
endscript
postrotate
/sbin/service httpd graceful > /dev/null 2>/dev/null || true
endscript
}
I thought adding domain transition would help it, but I guess I did it wrong:
domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)
use domtrans_pattern() instead of domain_auto_trans()
/etc/cron.hourly/awstats is bin_t, so I assume domain won't
change from logrotate_t
I still get an AVC though:
type=AVC msg=audit(1316320942.646:21684): avc: denied { sigchld } for pid=30083
comm="awstats" scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023
tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process
and I am not sure should I allow this or not.
Thanks,
Vadym
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux