Bug 1672199

Summary: Create a SELinux boolean to disable cron-logrotate transition
Product: Red Hat Enterprise Linux 8 Reporter: Filip Krska <fkrska>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: medium    
Version: 8.1CC: lef, lvrabec, mmalik, mschena, plautrba, ssekidde, zpytela
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1627075
: 1672200 (view as bug list) Environment:
Last Closed: 2020-05-29 15:00:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682526    
Bug Blocks:    

Comment 7 Zdenek Pytela 2020-05-29 15:00:15 UTC 
The actual user story can be phrased as follows:

Allow a 3rd party application be executed from a postrotate scriplet in logrotate run as a daily cron job. This application requires the execstack permission which is not allowed for the logrotate_t domain.

This RFE bugzilla has been thoroughly assessed and finally decided to close with the resolution of WONTFIX.

It is seen as low impact to a small number of use-cases. The suggested patch has not been accepted upstream and the business justification was not strong enough to push this patch ahead. There are workarounds known which can be tested in the customer environment.

For the sake of completeness, the approach towards resolving this request would require reaching out to the 3rd party software vendor, probably leading to confining the application and allowing the execstack permission to the new domain only.