FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-23-2011, 12:09 PM
Vadym Chepkov
 
Default awstats and logrotate

Hi,

in RHEL6 policy awstats module has been added and it works rather well except it is not suited for calling awstat from log rotate script.
It's a general practice to include awstats call before rotating logs, since awstats usually an hourly job, so there can be log entries between top of the hours and when log rotate job kicks in:

/var/log/httpd/*log {
missingok
notifempty
sharedscripts
delaycompress
prerotate
/etc/cron.hourly/awstats > /dev/null 2>/dev/null || true
endscript
postrotate
/sbin/service httpd graceful > /dev/null 2>/dev/null || true
endscript
}


I thought adding domain transition would help it, but I guess I did it wrong:

domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)

/etc/cron.hourly/awstats is bin_t, so I assume domain won't change from logrotate_t


I still get an AVC though:

type=AVC msg=audit(1316320942.646:21684): avc: denied { sigchld } for pid=30083 comm="awstats" scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process

and I am not sure should I allow this or not.

Thanks,
Vadym
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-23-2011, 12:13 PM
Dominick Grift
 
Default awstats and logrotate

On Fri, 2011-09-23 at 08:09 -0400, Vadym Chepkov wrote:
> Hi,
>
> in RHEL6 policy awstats module has been added and it works rather well except it is not suited for calling awstat from log rotate script.
> It's a general practice to include awstats call before rotating logs, since awstats usually an hourly job, so there can be log entries between top of the hours and when log rotate job kicks in:
>
> /var/log/httpd/*log {
> missingok
> notifempty
> sharedscripts
> delaycompress
> prerotate
> /etc/cron.hourly/awstats > /dev/null 2>/dev/null || true
> endscript
> postrotate
> /sbin/service httpd graceful > /dev/null 2>/dev/null || true
> endscript
> }
>
>
> I thought adding domain transition would help it, but I guess I did it wrong:
>
> domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)

use domtrans_pattern() instead of domain_auto_trans()

> /etc/cron.hourly/awstats is bin_t, so I assume domain won't change from logrotate_t
>
>
> I still get an AVC though:
>
> type=AVC msg=audit(1316320942.646:21684): avc: denied { sigchld } for pid=30083 comm="awstats" scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process
>
> and I am not sure should I allow this or not.
>
> Thanks,
> Vadym
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-23-2011, 02:48 PM
Daniel J Walsh
 
Default awstats and logrotate

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/23/2011 08:13 AM, Dominick Grift wrote:
> On Fri, 2011-09-23 at 08:09 -0400, Vadym Chepkov wrote:
>> Hi,
>>
>> in RHEL6 policy awstats module has been added and it works rather
>> well except it is not suited for calling awstat from log rotate
>> script. It's a general practice to include awstats call before
>> rotating logs, since awstats usually an hourly job, so there can
>> be log entries between top of the hours and when log rotate job
>> kicks in:
>>
>> /var/log/httpd/*log { missingok notifempty sharedscripts
>> delaycompress prerotate /etc/cron.hourly/awstats > /dev/null
>> 2>/dev/null || true endscript postrotate /sbin/service httpd
>> graceful > /dev/null 2>/dev/null || true endscript }
>>
>>
>> I thought adding domain transition would help it, but I guess I
>> did it wrong:
>>
>> domain_auto_trans(logrotate_t, awstats_exec_t, awstats_t)
>
> use domtrans_pattern() instead of domain_auto_trans()
>
>> /etc/cron.hourly/awstats is bin_t, so I assume domain won't
>> change from logrotate_t
>>
awstats_domtrans(logrotate_t) Would be best if it existed. I will
add it to Rawhide Policy.


>>
>> I still get an AVC though:
>>
>> type=AVC msg=audit(1316320942.646:21684): avc: denied { sigchld
>> } for pid=30083 comm="awstats"
>> scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023
>> tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
>> tclass=process
>>
>> and I am not sure should I allow this or not.
>>
>> Thanks, Vadym -- selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk58nDUACgkQrlYvE4MpobOHnACgrnvMfhfmeZ zraVQCChFb3Cen
ePcAoL8zkhJ/F5l+nGhaK/yJIonLXUr9
=UozN
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org