-----Original Message-----
From: Daniel J Walsh [mailto:dwalsh@redhat.com]
Sent: 16 October 2012 16:21
On 10/16/2012 10:39 AM, Moray Henderson wrote:
> On CentOS 6 I'm trying to get logrotate to work on some web files.
At
> the moment they're httpd_sys_content_t and give
>
> Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512):
avc:
> denied { read write } for pid=1275 comm="logrotate"
name="dnsview.html"
> dev=dm-4 ino=263703
> scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
>
> I wanted to see what did have access to those files, so used
>
> # sesearch --allow -t httpd_sys_content_t | less
>
> I thought that would show me all the allow rules with a target of
> httpd_sys_content_t, but it seems to show other stuff as well, which
> confused me:
>
> allow logwatch_t file_type : filesystem getattr ; allow logwatch_t
> file_type : file getattr ; allow logwatch_t file_type : dir { getattr
> search open } ; allow logwatch_t file_type : lnk_file getattr ;
>
> and so on. Is that supposed to show up? Does it mean that logwatch
> can search all directories regardless of their context?
>
> Is there a context that would be appropriate for my files or will I
> need custom policy if I want to rotate them?
>
>
> Moray. "To err is human; to purr, feline."
>
>
You should be looking at logrotate_t not logwatch_t
# sesearch -A -s logrotate_t -p write -c file | grep logfile
allow logrotate_t logfile : file { ioctl read write create getattr
setattr lock append unlink link rename execute execute_no_trans open }
;
First off I would look at if this is actually necessary or just a leak.
Why would logrotate want to read/write dnsview.html? You might be best
off adding a dontaudit rule, although figuring out if this is a leak
and fixing the leak would be best.
Logwatch is allowed to manipulate log files so it is probably best to
have these be log files.
httpd_log_t maybe? If this is actually necessary.
Logtotate and logwatch are able to search any directory yes. But
remember search is different then list. I need to search through all
directories in a path, but if I want to see the contents of a directory
I need the list priv.
Thanks Daniel. It's not a leak - we have a script which drops summarised log
information into a file where it can be read from a browser. We rotate it like a normal
log file. I'll investigate httpd_log_t now that I understand a bit more about how to
use types.
Moray.
“To err is human; to purr, feline.”