From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sun, 27 Aug 2017 17:15:57 +0200
Subject: [refpolicy] [PATCH 1/1] logrotate: allow systemd to start logrotate
Message-ID: <20170827151557.17771-1-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Arch Linux, logrotate is a service launched by systemd:

    avc:  denied  { execute_no_trans } for  pid=216 comm="(ogrotate)"
    path="/usr/bin/logrotate" dev="vda1" ino=396833
    scontext=system_u:system_r:init_t
    tcontext=system_u:object_r:logrotate_exec_t tclass=file
    permissive=1
---
 logrotate.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/logrotate.te b/logrotate.te
index 9e40550df70a..5150cc54c9a2 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -13,7 +13,7 @@ type logrotate_exec_t;
 domain_type(logrotate_t)
 domain_obj_id_change_exemption(logrotate_t)
 domain_system_change_exemption(logrotate_t)
-domain_entry_file(logrotate_t, logrotate_exec_t)
+init_daemon_domain(logrotate_t, logrotate_exec_t)
 role logrotate_roles types logrotate_t;
 
 type logrotate_lock_t;
-- 
2.14.1