Re: awstats and logrotate

Hi, in RHEL6 policy awstats module has been added and it works rather well except it is not suited for calling awstat from log rotate script. It's a general practice to include awstats call before rotating logs, since awstats usually an hourly job, so there can be log entries between top of the hours and when log rotate job kicks in: /var/log/httpd/*log { missingok notifempty sharedscripts delaycompress prerotate /etc/cron.hourly/awstats > /dev/null 2>/dev/null || true endscript postrotate /sbin/service httpd graceful > /dev/null 2>/dev/null || true endscript } I thought adding domain transition would help it, but I guess I did it wrong: domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)

/etc/cron.hourly/awstats is bin_t, so I assume domain won't change from logrotate_t I still get an AVC though: type=AVC msg=audit(1316320942.646:21684): avc: denied { sigchld } for pid=30083 comm="awstats" scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process and I am not sure should I allow this or not. Thanks, Vadym -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux