-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/23/2011 08:13 AM, Dominick Grift wrote:
On Fri, 2011-09-23 at 08:09 -0400, Vadym Chepkov wrote:
> Hi,
>
> in RHEL6 policy awstats module has been added and it works rather
> well except it is not suited for calling awstat from log rotate
> script. It's a general practice to include awstats call before
> rotating logs, since awstats usually an hourly job, so there can
> be log entries between top of the hours and when log rotate job
> kicks in:
>
> /var/log/httpd/*log { missingok notifempty sharedscripts
> delaycompress prerotate /etc/cron.hourly/awstats > /dev/null
> 2>/dev/null || true endscript postrotate /sbin/service httpd
> graceful > /dev/null 2>/dev/null || true endscript }
>
>
> I thought adding domain transition would help it, but I guess I
> did it wrong:
>
> domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)
use domtrans_pattern() instead of domain_auto_trans()
> /etc/cron.hourly/awstats is bin_t, so I assume domain won't
> change from logrotate_t
>
awstats_domtrans(logrotate_t) Would be best if it existed. I will
add it to Rawhide Policy.
>
> I still get an AVC though:
>
> type=AVC msg=audit(1316320942.646:21684): avc: denied { sigchld
> } for pid=30083 comm="awstats"
> scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tclass=process
>
> and I am not sure should I allow this or not.
>
> Thanks, Vadym -- selinux mailing list
> selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk58nDUACgkQrlYvE4MpobOHnACgrnvMfhfmeZzraVQCChFb3Cen
ePcAoL8zkhJ/F5l+nGhaK/yJIonLXUr9
=UozN
-----END PGP SIGNATURE-----