sesearch output
Moray Henderson
Moray.Henderson at ict-software.org
Tue Oct 16 14:39:20 UTC 2012
On CentOS 6 I'm trying to get logrotate to work on some web files. At the
moment they're httpd_sys_content_t and give
Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512): avc:
denied { read write } for pid=1275 comm="logrotate" name="dnsview.html"
dev=dm-4 ino=263703 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
I wanted to see what did have access to those files, so used
# sesearch --allow -t httpd_sys_content_t | less
I thought that would show me all the allow rules with a target of
httpd_sys_content_t, but it seems to show other stuff as well, which
confused me:
allow logwatch_t file_type : filesystem getattr ;
allow logwatch_t file_type : file getattr ;
allow logwatch_t file_type : dir { getattr search open } ;
allow logwatch_t file_type : lnk_file getattr ;
and so on. Is that supposed to show up? Does it mean that logwatch can
search all directories regardless of their context?
Is there a context that would be appropriate for my files or will I need
custom policy if I want to rotate them?
Moray.
"To err is human; to purr, feline."
More information about the selinux
mailing list