On Arch Linux, logrotate is a service launched by systemd:
avc: denied { execute_no_trans } for pid=216 comm="(ogrotate)"
path="/usr/bin/logrotate" dev="vda1" ino=396833
scontext=system_u:system_r:init_t
tcontext=system_u:object_r:logrotate_exec_t tclass=file
permissive=1
---
logrotate.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/logrotate.te b/logrotate.te
index 9e40550df70a..5150cc54c9a2 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -13,7 +13,7 @@ type logrotate_exec_t;
domain_type(logrotate_t)
domain_obj_id_change_exemption(logrotate_t)
domain_system_change_exemption(logrotate_t)
-domain_entry_file(logrotate_t, logrotate_exec_t)
+init_daemon_domain(logrotate_t, logrotate_exec_t)
role logrotate_roles types logrotate_t;
type logrotate_lock_t;
--
2.14.1
On 08/27/2017 11:15 AM, Nicolas Iooss via refpolicy wrote:
> On Arch Linux, logrotate is a service launched by systemd:
>
> avc: denied { execute_no_trans } for pid=216 comm="(ogrotate)"
> path="/usr/bin/logrotate" dev="vda1" ino=396833
> scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:logrotate_exec_t tclass=file
> permissive=1
> ---
> logrotate.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/logrotate.te b/logrotate.te
> index 9e40550df70a..5150cc54c9a2 100644
> --- a/logrotate.te
> +++ b/logrotate.te
> @@ -13,7 +13,7 @@ type logrotate_exec_t;
> domain_type(logrotate_t)
> domain_obj_id_change_exemption(logrotate_t)
> domain_system_change_exemption(logrotate_t)
> -domain_entry_file(logrotate_t, logrotate_exec_t)
> +init_daemon_domain(logrotate_t, logrotate_exec_t)
> role logrotate_roles types logrotate_t;
>
> type logrotate_lock_t;
It is still a short-lived process, so it should be an init_system_domain().
--
Chris PeBenito