awstats and logrotate

Daniel J Walsh dwalsh at redhat.com
Fri Sep 23 14:48:21 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/23/2011 08:13 AM, Dominick Grift wrote:
> On Fri, 2011-09-23 at 08:09 -0400, Vadym Chepkov wrote:
>> Hi,
>> 
>> in RHEL6 policy awstats module has been added and it works rather
>> well except it is not suited for calling awstat from log rotate
>> script. It's a general practice to include awstats call before
>> rotating logs, since awstats usually an hourly job, so there can
>> be log entries between top of the hours and when log rotate job
>> kicks in:
>> 
>> /var/log/httpd/*log { missingok notifempty sharedscripts 
>> delaycompress prerotate /etc/cron.hourly/awstats > /dev/null
>> 2>/dev/null || true endscript postrotate /sbin/service httpd
>> graceful > /dev/null 2>/dev/null || true endscript }
>> 
>> 
>> I thought adding domain transition would help it, but I guess I
>> did it wrong:
>> 
>> domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)
> 
> use domtrans_pattern() instead of domain_auto_trans()
> 
>> /etc/cron.hourly/awstats is bin_t, so I assume domain won't
>> change from logrotate_t
>> 
awstats_domtrans(logrotate_t)  Would be best if it existed.  I will
add it to Rawhide Policy.


>> 
>> I still get an AVC though:
>> 
>> type=AVC msg=audit(1316320942.646:21684): avc:  denied  { sigchld
>> } for  pid=30083 comm="awstats"
>> scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
>> tclass=process
>> 
>> and I am not sure should I allow this or not.
>> 
>> Thanks, Vadym -- selinux mailing list 
>> selinux at lists.fedoraproject.org 
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk58nDUACgkQrlYvE4MpobOHnACgrnvMfhfmeZzraVQCChFb3Cen
ePcAoL8zkhJ/F5l+nGhaK/yJIonLXUr9
=UozN
-----END PGP SIGNATURE-----

More information about the selinux mailing list