awstats and logrotate

[Dominick Grift]

On Fri, 2011-09-23 at 08:09 -0400, Vadym Chepkov wrote:
> Hi,
> 
> in RHEL6 policy awstats module has been added and it works rather well except it is not suited for calling awstat from log rotate script.
> It's a general practice to include awstats call before rotating logs, since awstats usually an hourly job, so there can be log entries between top of the hours and when log rotate job kicks in:
> 
> /var/log/httpd/*log {
>     missingok
>     notifempty
>     sharedscripts
>     delaycompress
>     prerotate
>         /etc/cron.hourly/awstats > /dev/null 2>/dev/null || true
>     endscript
>     postrotate
>         /sbin/service httpd graceful > /dev/null 2>/dev/null || true
>     endscript
> }
> 
> 
> I thought adding domain transition would help it, but I guess I did it wrong:
> 
> domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)

use domtrans_pattern() instead of domain_auto_trans()

> /etc/cron.hourly/awstats is bin_t, so I assume domain won't change from logrotate_t
> 
> 
> I still get an AVC though:
> 
> type=AVC msg=audit(1316320942.646:21684): avc:  denied  { sigchld } for  pid=30083 comm="awstats" scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process
> 
> and I am not sure should I allow this or not.
> 
> Thanks,
> Vadym
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110923/b18c8640/attachment.bin