From: craig@rootwork.it (Craig Finch) Date: Thu, 21 Jan 2016 16:24:56 -0500 Subject: [refpolicy] Custom policy to allow logrotate to rotate OSSEC logs Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I am using OSSEC to monitor system logs for possible intrusions and other errors on a CentOS 7 system, with SELinux set to "enforcing." OSSEC stores its logs in a non-standard location (/var/ossec/logs), and the default SELinux policies do not allow logrotate to rotate these logs. The default context for this directory is: drwxrwx---. ossec ossec system_u:object_r:var_t:s0 . dr-xr-x---. root ossec system_u:object_r:var_t:s0 .. -rw-rw-r--. ossec ossec system_u:object_r:var_log_t:s0 ossec.log In order to allow logrotate to rotate these logs, I changed the context of the log files to logrotate_t and created a custom SELinux module, which is shown at the end of this message. These changes allow the logs to be rotated. I am posting this solution to get feedback and to ensure that I have not accidentally created a security problem. Please let me know if you have any suggestions. ------------- module ossec_logrotate 1.0.2; require { type fs_t; type logrotate_t; class dir { add_name write remove_name rename }; class file { create setattr rename unlink }; class filesystem associate; } #============= logrotate_t ============== allow logrotate_t fs_t:filesystem associate; allow logrotate_t self:dir { add_name write remove_name rename }; allow logrotate_t self:file { create setattr rename unlink }; -- Craig Finch Principal Consultant Rootwork InfoTech LLC Mobile: 321.209.8088 www.rootwork.it -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160121/667abdb6/attachment.html