| 1 |
commit: 0c3ef6276b664ad06dce7ef4bea5d3509148f249 |
| 2 |
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> |
| 3 |
AuthorDate: Sun Sep 3 20:19:56 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Fri Sep 8 22:48:51 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0c3ef627 |
| 7 |
|
| 8 |
logrotate: allow systemd to start logrotate |
| 9 |
|
| 10 |
On Arch Linux, logrotate is a service launched by systemd: |
| 11 |
|
| 12 |
avc: denied { execute_no_trans } for pid=216 comm="(ogrotate)" |
| 13 |
path="/usr/bin/logrotate" dev="vda1" ino=396833 |
| 14 |
scontext=system_u:system_r:init_t |
| 15 |
tcontext=system_u:object_r:logrotate_exec_t tclass=file |
| 16 |
permissive=1 |
| 17 |
|
| 18 |
policy/modules/contrib/logrotate.te | 1 + |
| 19 |
1 file changed, 1 insertion(+) |
| 20 |
|
| 21 |
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te |
| 22 |
index ab2c6152..77c36f66 100644 |
| 23 |
--- a/policy/modules/contrib/logrotate.te |
| 24 |
+++ b/policy/modules/contrib/logrotate.te |
| 25 |
@@ -14,6 +14,7 @@ domain_type(logrotate_t) |
| 26 |
domain_obj_id_change_exemption(logrotate_t) |
| 27 |
domain_system_change_exemption(logrotate_t) |
| 28 |
domain_entry_file(logrotate_t, logrotate_exec_t) |
| 29 |
+init_system_domain(logrotate_t, logrotate_exec_t) |
| 30 |
role logrotate_roles types logrotate_t; |
| 31 |
|
| 32 |
type logrotate_lock_t; |
Archives