1 |
commit: 0c3ef6276b664ad06dce7ef4bea5d3509148f249 |
2 |
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> |
3 |
AuthorDate: Sun Sep 3 20:19:56 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Sep 8 22:48:51 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0c3ef627 |
7 |
|
8 |
logrotate: allow systemd to start logrotate |
9 |
|
10 |
On Arch Linux, logrotate is a service launched by systemd: |
11 |
|
12 |
avc: denied { execute_no_trans } for pid=216 comm="(ogrotate)" |
13 |
path="/usr/bin/logrotate" dev="vda1" ino=396833 |
14 |
scontext=system_u:system_r:init_t |
15 |
tcontext=system_u:object_r:logrotate_exec_t tclass=file |
16 |
permissive=1 |
17 |
|
18 |
policy/modules/contrib/logrotate.te | 1 + |
19 |
1 file changed, 1 insertion(+) |
20 |
|
21 |
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te |
22 |
index ab2c6152..77c36f66 100644 |
23 |
--- a/policy/modules/contrib/logrotate.te |
24 |
+++ b/policy/modules/contrib/logrotate.te |
25 |
@@ -14,6 +14,7 @@ domain_type(logrotate_t) |
26 |
domain_obj_id_change_exemption(logrotate_t) |
27 |
domain_system_change_exemption(logrotate_t) |
28 |
domain_entry_file(logrotate_t, logrotate_exec_t) |
29 |
+init_system_domain(logrotate_t, logrotate_exec_t) |
30 |
role logrotate_roles types logrotate_t; |
31 |
|
32 |
type logrotate_lock_t; |