On CentOS 6 I'm trying to get logrotate to work on some web files. At the moment they're httpd_sys_content_t and give
Oct 16 03:43:06 sls kernel: type=1400 audit(1350355386.304:42512): avc: denied { read write } for pid=1275 comm="logrotate" name="dnsview.html" dev=dm-4 ino=263703 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
I wanted to see what did have access to those files, so used
# sesearch --allow -t httpd_sys_content_t | less
I thought that would show me all the allow rules with a target of httpd_sys_content_t, but it seems to show other stuff as well, which confused me:
allow logwatch_t file_type : filesystem getattr ; allow logwatch_t file_type : file getattr ; allow logwatch_t file_type : dir { getattr search open } ; allow logwatch_t file_type : lnk_file getattr ;
and so on. Is that supposed to show up? Does it mean that logwatch can search all directories regardless of their context?
Is there a context that would be appropriate for my files or will I need custom policy if I want to rotate them?
Moray. "To err is human; to purr, feline."