I want SELinux to allow the LogRotate daemon to rotate and compress the audit logs under /var/log/audit/audit.log, but it's being blocked with this error message showing up:
Oct 27 04:06:03 setroubleshoot: SELinux is preventing /usr/sbin/logrotate "read" access on /var/log/audit.
The context of the /var/log/audit directory is:
drwxr-x---. root root system_u:object_r:auditd_log_t:s0 audit
Is there a context I can give a file or directory that will make SELinux behave as if it were turned off? I'm swimming in documentation and I'm not going to learn this thing overnight, so I'd like to implement a work around until I can do it right. Any pushes in the right direction are welcome.
Edit: I'm also finding that all the documentation I'm coming across doesn't match what actually exists on my CentOS 6 server (i.e. file and config locations). Has anyone else had this problem and no of a good source for "correct" information?
Edit 2-- I take this back, they have instructions on building policies in a different section. http://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
FINAL EDIT: So my end goal was to try and get a daily rotation of the Audit logs because I have a daily email sent out with any new SELinux alerts, but I kept getting the same messages. So I tried creating a new logrotate rule to do these logs, but SELinux was blocking it. Turns out that auditd has a built in rotate function that can be called by running /sbin/service auditd rotate
which rotates the logs. I can simply set that in a daily cron job. I still think the SELinux question holds value, so if anyone wants to answer it, it might help future googlers
Try this:
https://bugzilla.redhat.com/show_bug.cgi?id=682473