On Wed, 28 May 2008 15:00:21 -0400
Daniel J Walsh <dwalsh(a)redhat.com> wrote:
Paul Howarth wrote:
> Being an old-fashioned sort of guy, I always create a separate
> partition (well, logical volume these days) for /tmp and various
> other top-level directories. Hence I have a
> directory /tmp/lost+found and every day I get an email from cron
> like this:
>
> Subject: Cron <root@goalkeeper> run-parts /etc/cron.daily
> Date: Tue, 27 May 2008 04:17:12 +0100
>
> /etc/cron.daily/tmpwatch:
>
> error: failed to lstat /tmp/lost+found: Permission denied
>
> The following policy fixes this:
>
> policy_module(localmisc, 0.0.1)
>
> require {
> type tmpreaper_t;
> }
>
> # Allow tmpwatch to stat /tmp/lost+found
> files_getattr_lost_found_dirs(tmpreaper_t)
>
> Paul.
That is funny because the policy has
files_dontaudit_getattr_lost_found_dirs(tmpreaper_t)
So in order to get rid of the error, we need to allow it, which seems
reasonable.
Yes, the dontaudit made it that much harder to figure out what was
going on but "semodule -BD" came to the rescue there.
Paul.