Hi Jason,
On 12/11/2015 08:51 PM, jason wrote:
Hi All,
I am attempting to use logrotate to rotate a log file with the unlabeled_t context, as it turns out SELinux is not happy about this and denies logrotate access to the log file.
logrotate should run under logrotate_t SELinux context. I would recommend you to fix all security context on your system using: # restorecon -R -v /
After this, logrotate should run under logrotate_t SELinux content.
What's the preferred method here to allow access? I used audit2allow and installed the .pp but but was reading some docs[0] and wanted to double check my solution.
The points in the docs were that I wanted to check on were "Missing TE rules are usually caused by bugs in SELinux policy and should be reports.." Should I report my particular instance as a bug?
Could you attach AVC msgs using: # ausearch -m AVC
We can analyze this msgs and figure out if it some bug in SELinux policy or create some local SELinux module for you.
"Modules created with audit2allow may allow more access than required.
True, you should always properly read AVC msg and allow just what is mentioned in AVC msg. Tool audit2allow can use too generic rule as fix and this is wrong habit for writing policies.
It is recommended that policy created with audit2allow be posted to the upstream SELinux list for review."
You can attach your local policy also here for checking. :)
Thanks in advance!
JT
[0] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Li nux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security- Enhanced_Linux-Troubleshooting-Fixing_Problems.html -- selinux mailing list selinux@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Regards, Lukas.