1logrotate_selinux(8) SELinux Policy logrotate logrotate_selinux(8)
2
6 logrotate_selinux - Security Enhanced Linux Policy for the logrotate
7 processes
8
10 Security-Enhanced Linux secures the logrotate processes via flexible
11 mandatory access control.
12 The logrotate processes execute with the logrotate_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16 For example:
18 ps -eZ | grep logrotate_t
20
24 The logrotate_t SELinux type can be entered via the logrotate_exec_t
25 file type.
26 The default entrypoint paths for the logrotate_t domain are the follow‐
28 ing:
29 /etc/cron.(daily|weekly)/sysklogd, /usr/sbin/logrotate
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 logrotate policy is very flexible allowing users to setup their logro‐
40 tate processes in as secure a method as possible.
41 The following process types are defined for logrotate:
43 logrotate_t, logrotate_mail_t
45 Note: semanage permissive -a logrotate_t can be used to make the
47 process type logrotate_t permissive. SELinux does not deny access to
48 permissive process types, but the AVC (SELinux denials) messages are
49 still generated.
50
53 SELinux policy is customizable based on least access required. logro‐
54 tate policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run logrotate with the tightest access
56 possible.
57 If you want to allow logrotate to read logs inside, you must turn on
61 the logrotate_read_inside_containers boolean. Disabled by default.
62 setsebool -P logrotate_read_inside_containers 1
64 If you want to allow logrotate to manage cifs files, you must turn on
68 the logrotate_use_cifs boolean. Disabled by default.
69 setsebool -P logrotate_use_cifs 1
71 If you want to allow logrotate domain to manage fuse files, you must
75 turn on the logrotate_use_fusefs boolean. Disabled by default.
76 setsebool -P logrotate_use_fusefs 1
78 If you want to allow logrotate to manage nfs files, you must turn on
82 the logrotate_use_nfs boolean. Disabled by default.
83 setsebool -P logrotate_use_nfs 1
85 If you want to allow all domains to execute in fips_mode, you must turn
89 on the fips_mode boolean. Enabled by default.
90 setsebool -P fips_mode 1
92 If you want to allow system to run with NIS, you must turn on the
96 nis_enabled boolean. Disabled by default.
97 setsebool -P nis_enabled 1
99 If you want to support NFS home directories, you must turn on the
103 use_nfs_home_dirs boolean. Enabled by default.
104 setsebool -P use_nfs_home_dirs 1
106 If you want to support SAMBA home directories, you must turn on the
110 use_samba_home_dirs boolean. Disabled by default.
111 setsebool -P use_samba_home_dirs 1
113
117 The SELinux process type logrotate_t can manage files labeled with the
118 following file types. The paths listed are the default paths for these
119 file types. Note the processes UID still need to have DAC permissions.
120 cifs_t
122 cluster_conf_t
125 /etc/cluster(/.*)?
127 cluster_var_lib_t
129 /var/lib/pcsd(/.*)?
131 /var/lib/cluster(/.*)?
132 /var/lib/openais(/.*)?
133 /var/lib/pengine(/.*)?
134 /var/lib/corosync(/.*)?
135 /usr/lib/heartbeat(/.*)?
136 /var/lib/heartbeat(/.*)?
137 /var/lib/pacemaker(/.*)?
138 cluster_var_run_t
140 /var/run/crm(/.*)?
142 /var/run/cman_.*
143 /var/run/rsctmp(/.*)?
144 /var/run/aisexec.*
145 /var/run/heartbeat(/.*)?
146 /var/run/corosync-qnetd(/.*)?
147 /var/run/corosync-qdevice(/.*)?
148 /var/run/corosync.pid
149 /var/run/cpglockd.pid
150 /var/run/rgmanager.pid
151 /var/run/cluster/rgmanager.sk
152 collectd_rw_content_t
154 fusefs_t
157 /var/run/user/[^/]*/gvfs
159 logfile
161 all log files
163 logrotate_lock_t
165 logrotate_var_lib_t
168 /var/lib/logrotate(/.*)?
170 /var/lib/logrotate.status.*
171 named_cache_t
173 /var/named/data(/.*)?
175 /var/lib/softhsm(/.*)?
176 /var/lib/unbound(/.*)?
177 /var/named/slaves(/.*)?
178 /var/named/dynamic(/.*)?
179 /var/named/chroot/var/tmp(/.*)?
180 /var/named/chroot/var/named/data(/.*)?
181 /var/named/chroot/var/named/slaves(/.*)?
182 /var/named/chroot/var/named/dynamic(/.*)?
183 nfs_t
185 openshift_var_lib_t
188 /var/lib/openshift(/.*)?
190 /var/lib/stickshift(/.*)?
191 /var/lib/containers/home(/.*)?
192 root_t
194 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
196 /
197 /initrd
198 virt_cache_t
200 /var/cache/oz(/.*)?
202 /var/cache/libvirt(/.*)?
203
206 SELinux requires files to have an extended attribute to define the file
207 type.
208 You can see the context of a file using the -Z option to ls
210 Policy governs the access confined processes have to these files.
212 SELinux logrotate policy is very flexible allowing users to setup their
213 logrotate processes in as secure a method as possible.
214 EQUIVALENCE DIRECTORIES
216 logrotate policy stores data with multiple different file context types
219 under the /var/lib/logrotate directory. If you would like to store the
220 data in a different directory you can use the semanage command to cre‐
221 ate an equivalence mapping. If you wanted to store this data under the
222 /srv directory you would execute the following command:
223 semanage fcontext -a -e /var/lib/logrotate /srv/logrotate
225 restorecon -R -v /srv/logrotate
226 STANDARD FILE CONTEXT
228 SELinux defines the file context types for the logrotate, if you wanted
230 to store files with these types in a diffent paths, you need to execute
231 the semanage command to sepecify alternate labeling and then use
232 restorecon to put the labels on disk.
233 semanage fcontext -a -t logrotate_mail_tmp_t '/srv/mylogrotate_con‐
235 tent(/.*)?'
236 restorecon -R -v /srv/mylogrotate_content
237 Note: SELinux often uses regular expressions to specify labels that
239 match multiple files.
240 The following file types are defined for logrotate:
242 logrotate_exec_t
246 - Set files with the logrotate_exec_t type, if you want to transition
248 an executable to the logrotate_t domain.
249 Paths:
252 /etc/cron.(daily|weekly)/sysklogd, /usr/sbin/logrotate
253 logrotate_lock_t
256 - Set files with the logrotate_lock_t type, if you want to treat the
258 files as logrotate lock data, stored under the /var/lock directory
259 logrotate_mail_tmp_t
263 - Set files with the logrotate_mail_tmp_t type, if you want to store
265 logrotate mail temporary files in the /tmp directories.
266 logrotate_tmp_t
270 - Set files with the logrotate_tmp_t type, if you want to store logro‐
272 tate temporary files in the /tmp directories.
273 logrotate_var_lib_t
277 - Set files with the logrotate_var_lib_t type, if you want to store the
279 logrotate files under the /var/lib directory.
280 Paths:
283 /var/lib/logrotate(/.*)?, /var/lib/logrotate.status.*
284 Note: File context can be temporarily modified with the chcon command.
287 If you want to permanently change the file context you need to use the
288 semanage fcontext command. This will modify the SELinux labeling data‐
289 base. You will need to use restorecon to apply the labels.
290
293 semanage fcontext can also be used to manipulate default file context
294 mappings.
295 semanage permissive can also be used to manipulate whether or not a
297 process type is permissive.
298 semanage module can also be used to enable/disable/install/remove pol‐
300 icy modules.
301 semanage boolean can also be used to manipulate the booleans
303 system-config-selinux is a GUI tool available to customize SELinux pol‐
306 icy settings.
307
310 This manual page was auto-generated using sepolicy manpage .
311
314 selinux(8), logrotate(8), semanage(8), restorecon(8), chcon(1), sepol‐
315 icy(8), setsebool(8), logrotate_mail_selinux(8), logro‐
316 tate_mail_selinux(8)
317logrotate 21-03-26 logrotate_selinux(8)