I really prefer my logs to be rotated by time rather than size, so I disabled auditd's rotation and put it into logrotate. This is with unconfined off. It didn't work. Simplest way I found to make it work: logging_manage_audit_log(logrotate_t) -Robin
Not sure if we want allow this by default for logrotate.
That is fine, but it is not something we want to add to policy.
I figured there was a chance of that, but that you might want to make it optional somehow (a boolean?). If not, I'll bug the auditd people, because I find the current state pretty lame. -Robin
Reassigning to audit. We could allow this but there is problems in that the audit log is covered by Government standards about how it can be handled. I will let them say whether or not they want to allow this.
Let me clarify, then: there are two options here; one is to do the logrotate thing, but the other is to have auditd itself rotate in a time-based fashion rather than a size-based one. I assume the latter would be within the scope of the standards?, but more work. And all of this is just me whining :), because having the log files I'm watching go away at random times is really confusing; if it doesn't work for y'all, I'll certainly drop it. It's a nice-to-have for me, is all. -Robin
If you are using logrotate, you must have it issue "service auditd rotate". Then you are free to grab and move logs. I think several people have this working on the linux-audit mail list.
*Ooooooh*. That's a very different way entirely. I just added this to cron for testing: * * * * * /sbin/service auditd rotate And it works, but reports an irrelevant error about not being able to open /dev/stderr, which can be fixed like this: allow initrc_t crond_t:fifo_file open; That's entirely workable; thank you very much. Passing this back to selinux-policy, as I believe that selinux change to be a tiny tweak and not contentious. -Robin
Why would initrc_t be opening a fifo_file from crond_t?
You and your perfectly reasonable questions! :) Here's two emails, with and without the change; I think they completely answer the question, except for the "why is service trying to open /dev/stderr?" part, to which I do not know the answer. Date: Wed, 10 Aug 2011 04:04:02 -0700 From: Cron Daemon <root.org> To: postmaster Subject: Cron <root@morji> /sbin/service auditd rotate Rotating logs: [ OK ] Date: Wed, 10 Aug 2011 04:04:02 -0700 From: Cron Daemon <root.org> To: postmaster Subject: Cron <root@vrici> /sbin/service auditd rotate /etc/init.d/functions: line 58: /dev/stderr: Permission denied Rotating logs: ^[[60G[ OK ] Note that everything works fine in both cases. -Robin
if [ -z "${CONSOLETYPE:-}" ]; then if [ -r "/dev/stderr" ]; then CONSOLETYPE="$(/sbin/consoletype < /dev/stderr 2>/dev/null)" else CONSOLETYPE="$(/sbin/consoletype 2>/dev/null)" fi fi Any idea what is going on here? I would figure you would redirect /dev/null? CONSOLETYPE="$(/sbin/consoletype < /dev/null 2>/dev/null)"
consoletype reads its stdin to determine what sort of console is attached. However, this code controls what sort of things we *output* to the terminal, so it reads from /dev/stderr to determine what console type that is.
Miroslav lets add optional_policy(` cron_read_pipes(initrc_t) ')
(In reply to comment #12) > Miroslav lets add > > optional_policy(` > cron_read_pipes(initrc_t) > ') Fixed in F15 policy.
I'm not seeing this fix as of 3.9.16-37.fc15 ; should I be? -Robin
Fixed in selinux-policy-3.9.16-39.fc15
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Package selinux-policy-3.9.16-39.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15 then log in and leave karma (feedback).
This is still broken in the same way as https://bugzilla.redhat.com/show_bug.cgi?id=736225 : it works until I disable or remove unconfined. -Robin
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
As I said just above, this isn't fixed in 39. It *does* appear to be fixed in version 41, however. -Robin
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Package selinux-policy-3.9.16-48.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.