From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 29 Aug 2017 18:55:28 -0400
Subject: [refpolicy] [PATCH 1/1] logrotate: allow systemd to start
 logrotate
In-Reply-To: <20170827151557.17771-1-nicolas.iooss@m4x.org>
References: <20170827151557.17771-1-nicolas.iooss@m4x.org>
Message-ID: <169c1fad-5320-89c4-efd2-2d1c45a54a28@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/27/2017 11:15 AM, Nicolas Iooss via refpolicy wrote:
> On Arch Linux, logrotate is a service launched by systemd:
> 
>      avc:  denied  { execute_no_trans } for  pid=216 comm="(ogrotate)"
>      path="/usr/bin/logrotate" dev="vda1" ino=396833
>      scontext=system_u:system_r:init_t
>      tcontext=system_u:object_r:logrotate_exec_t tclass=file
>      permissive=1
> ---
>   logrotate.te | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/logrotate.te b/logrotate.te
> index 9e40550df70a..5150cc54c9a2 100644
> --- a/logrotate.te
> +++ b/logrotate.te
> @@ -13,7 +13,7 @@ type logrotate_exec_t;
>   domain_type(logrotate_t)
>   domain_obj_id_change_exemption(logrotate_t)
>   domain_system_change_exemption(logrotate_t)
> -domain_entry_file(logrotate_t, logrotate_exec_t)
> +init_daemon_domain(logrotate_t, logrotate_exec_t)
>   role logrotate_roles types logrotate_t;
>   
>   type logrotate_lock_t;

It is still a short-lived process, so it should be an init_system_domain().

-- 
Chris PeBenito