awstats and logrotate
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 23 14:48:21 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/23/2011 08:13 AM, Dominick Grift wrote:
> On Fri, 2011-09-23 at 08:09 -0400, Vadym Chepkov wrote:
>> Hi,
>>
>> in RHEL6 policy awstats module has been added and it works rather
>> well except it is not suited for calling awstat from log rotate
>> script. It's a general practice to include awstats call before
>> rotating logs, since awstats usually an hourly job, so there can
>> be log entries between top of the hours and when log rotate job
>> kicks in:
>>
>> /var/log/httpd/*log { missingok notifempty sharedscripts
>> delaycompress prerotate /etc/cron.hourly/awstats > /dev/null
>> 2>/dev/null || true endscript postrotate /sbin/service httpd
>> graceful > /dev/null 2>/dev/null || true endscript }
>>
>>
>> I thought adding domain transition would help it, but I guess I
>> did it wrong:
>>
>> domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)
>
> use domtrans_pattern() instead of domain_auto_trans()
>
>> /etc/cron.hourly/awstats is bin_t, so I assume domain won't
>> change from logrotate_t
>>
awstats_domtrans(logrotate_t) Would be best if it existed. I will
add it to Rawhide Policy.
>>
>> I still get an AVC though:
>>
>> type=AVC msg=audit(1316320942.646:21684): avc: denied { sigchld
>> } for pid=30083 comm="awstats"
>> scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
>> tclass=process
>>
>> and I am not sure should I allow this or not.
>>
>> Thanks, Vadym -- selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk58nDUACgkQrlYvE4MpobOHnACgrnvMfhfmeZzraVQCChFb3Cen
ePcAoL8zkhJ/F5l+nGhaK/yJIonLXUr9
=UozN
-----END PGP SIGNATURE-----
More information about the selinux
mailing list