[refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.
@ 2013-11-17 13:31 Luis Ressel
  0 siblings, 0 replies; 5+ messages in thread
From: Luis Ressel @ 2013-11-17 13:31 UTC (permalink / raw)
  To: refpolicy

This is used at least on Gentoo, but I could imagine this also exists on
other distros.
---
 logrotate.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/logrotate.fc b/logrotate.fc
index a11d5be..207ec10 100644
--- a/logrotate.fc
+++ b/logrotate.fc
@@ -1,3 +1,4 @@
+/etc/cron\.(daily|weekly)/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 /etc/cron\.(daily|weekly)/sysklogd	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
 /usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
-- 
1.8.4.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.
  2013-11-18 19:11 ` Luis Ressel
@ 2013-11-19  8:44   ` Dominick Grift
  0 siblings, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2013-11-19  8:44 UTC (permalink / raw)
  To: refpolicy

On Mon, 2013-11-18 at 20:11 +0100, Luis Ressel wrote:
> For this to work, can_exec(logrotate_t, logrotate_exec_t) is also
> required.
> 

Thanks, applied

> Btw: "allow logrotate_t self:process ~{ ptrace setcurrent setexec
> setrlimit execmem execstack execheap };" (currently in
> contrib/logrotate.te) sounds a bit much to me...
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.
  2013-11-17 12:53 Luis Ressel
  2013-11-18 19:11 ` Luis Ressel
@ 2013-11-19  8:44 ` Dominick Grift
  1 sibling, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2013-11-19  8:44 UTC (permalink / raw)
  To: refpolicy

On Sun, 2013-11-17 at 13:53 +0100, Luis Ressel wrote:
> This is used at least on Gentoo, but I could imagine this also exists on
> other distros.
> ---
>  logrotate.fc | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/logrotate.fc b/logrotate.fc
> index a11d5be..207ec10 100644
> --- a/logrotate.fc
> +++ b/logrotate.fc
> @@ -1,3 +1,4 @@
> +/etc/cron\.(daily|weekly)/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
>  /etc/cron\.(daily|weekly)/sysklogd	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
>  
>  /usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)


Thanks, Applied

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.
  2013-11-17 12:53 Luis Ressel
@ 2013-11-18 19:11 ` Luis Ressel
  2013-11-19  8:44   ` Dominick Grift
  2013-11-19  8:44 ` Dominick Grift
  1 sibling, 1 reply; 5+ messages in thread
From: Luis Ressel @ 2013-11-18 19:11 UTC (permalink / raw)
  To: refpolicy

For this to work, can_exec(logrotate_t, logrotate_exec_t) is also
required.

Btw: "allow logrotate_t self:process ~{ ptrace setcurrent setexec
setrlimit execmem execstack execheap };" (currently in
contrib/logrotate.te) sounds a bit much to me...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131118/2ecaa8f8/attachment.bin 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly.
@ 2013-11-17 12:53 Luis Ressel
  2013-11-18 19:11 ` Luis Ressel
  2013-11-19  8:44 ` Dominick Grift
  0 siblings, 2 replies; 5+ messages in thread
From: Luis Ressel @ 2013-11-17 12:53 UTC (permalink / raw)
  To: refpolicy

This is used at least on Gentoo, but I could imagine this also exists on
other distros.
---
 logrotate.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/logrotate.fc b/logrotate.fc
index a11d5be..207ec10 100644
--- a/logrotate.fc
+++ b/logrotate.fc
@@ -1,3 +1,4 @@
+/etc/cron\.(daily|weekly)/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 /etc/cron\.(daily|weekly)/sysklogd	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
 /usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
-- 
1.8.4.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-11-19  8:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-11-17 13:31 [refpolicy] [PATCH] Label /etc/cron.daily/logrotate correctly Luis Ressel
  -- strict thread matches above, loose matches on Subject: below --
2013-11-17 12:53 Luis Ressel
2013-11-18 19:11 ` Luis Ressel
2013-11-19  8:44   ` Dominick Grift
2013-11-19  8:44 ` Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.