LinuxLists.cc - [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.

2013-11-17 12:53:07

Subject: [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.

This is used at least on Gentoo, but I could imagine this also exists on
other distros.
---
logrotate.fc | 1 +
1 file changed, 1 insertion(+)

diff --git a/logrotate.fc b/logrotate.fc
index a11d5be..207ec10 100644
--- a/logrotate.fc
+++ b/logrotate.fc
@@ -1,3 +1,4 @@
+/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)

/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
--
1.8.4.3

2013-11-18 19:11:25

by Mira Ressel

[permalink] [raw]

Subject: [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.

For this to work, can_exec(logrotate_t, logrotate_exec_t) is also
required.

Btw: "allow logrotate_t self:process ~{ ptrace setcurrent setexec
setrlimit execmem execstack execheap };" (currently in
contrib/logrotate.te) sounds a bit much to me...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131118/2ecaa8f8/attachment.bin

2013-11-19 08:44:26

by dominick.grift

[permalink] [raw]

Subject: [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.

On Sun, 2013-11-17 at 13:53 +0100, Luis Ressel wrote:
> This is used at least on Gentoo, but I could imagine this also exists on
> other distros.
> ---
> logrotate.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/logrotate.fc b/logrotate.fc
> index a11d5be..207ec10 100644
> --- a/logrotate.fc
> +++ b/logrotate.fc
> @@ -1,3 +1,4 @@
> +/etc/cron\.(daily|weekly)/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
> /etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
>
> /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)

Thanks, Applied

2013-11-19 08:44:49

by dominick.grift

[permalink] [raw]

Subject: [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.

On Mon, 2013-11-18 at 20:11 +0100, Luis Ressel wrote:
> For this to work, can_exec(logrotate_t, logrotate_exec_t) is also
> required.
>

Thanks, applied

> Btw: "allow logrotate_t self:process ~{ ptrace setcurrent setexec
> setrlimit execmem execstack execheap };" (currently in
> contrib/logrotate.te) sounds a bit much to me...
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy