Converted NSA's logrotate policy files for use on gentoo. Reproducible: Always Steps to Reproduce:
Created attachment 21420 [details] logrotate file_contexts
Created attachment 21421 [details] logrotate policy
The only difference is a one line change to logrotate.fc. The crontab file syslogd becomes logrotate.cron.
Hmm, I wouldn't think that it would even need that line in the file contexts, because of the system_crond_entry(logrotate_exec_t, logrotate_t). Are you sure thats needed?
Without that line the logrotate.cron file is labeled crond_script_exec_t. There is no domain_auto_trans(crond_t, logrotate_exec_t, logrotate_t). So either the above needed to be added to crond.te, or change the line in the logrotete.fc. It just seemed easier to change the label on the logrotate.cron file.
Belay that last comment. Your right, it should. I'll take a another look at it, and do some more testing.
Created attachment 21447 [details] logrotate file_contexts (new) With the default label the syslog.croin script won't work. However when it is labled logrotate_exec_t, it works fine. So, if you want to stock syslog.cron log file rotator to work but don't want to emerge logrotate, the this policy will solve that problem.
Both logrotate and syslog.cron work with this policy. the logrotate.cron should have the default crond_script_exec_t label, the syslog.cron needs the logrotate_exec_t label. However, if logrotate.conf is modified to rotate the /var/log files then syslog.cron should be removed.
sec-policy/selinux-logrotate-20031129 committed, added it to logrotate-3.6.5-r1 RDEPEND. Thanks for the submission.
