Being an old-fashioned sort of guy, I always create a separate partition (well, logical volume these days) for /tmp and various other top-level directories. Hence I have a directory /tmp/lost+found and every day I get an email from cron like this:
Subject: Cron root@goalkeeper run-parts /etc/cron.daily Date: Tue, 27 May 2008 04:17:12 +0100
/etc/cron.daily/tmpwatch:
error: failed to lstat /tmp/lost+found: Permission denied
The following policy fixes this:
policy_module(localmisc, 0.0.1)
require { type tmpreaper_t; }
# Allow tmpwatch to stat /tmp/lost+found files_getattr_lost_found_dirs(tmpreaper_t)
Paul.
Paul Howarth wrote:
Being an old-fashioned sort of guy, I always create a separate partition (well, logical volume these days) for /tmp and various other top-level directories. Hence I have a directory /tmp/lost+found and every day I get an email from cron like this:
Subject: Cron root@goalkeeper run-parts /etc/cron.daily Date: Tue, 27 May 2008 04:17:12 +0100
/etc/cron.daily/tmpwatch:
error: failed to lstat /tmp/lost+found: Permission denied
The following policy fixes this:
policy_module(localmisc, 0.0.1)
require { type tmpreaper_t; }
# Allow tmpwatch to stat /tmp/lost+found files_getattr_lost_found_dirs(tmpreaper_t)
Paul.
That is funny because the policy has
files_dontaudit_getattr_lost_found_dirs(tmpreaper_t)
So in order to get rid of the error, we need to allow it, which seems reasonable.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, 28 May 2008 15:00:21 -0400 Daniel J Walsh dwalsh@redhat.com wrote:
Paul Howarth wrote:
Being an old-fashioned sort of guy, I always create a separate partition (well, logical volume these days) for /tmp and various other top-level directories. Hence I have a directory /tmp/lost+found and every day I get an email from cron like this:
Subject: Cron root@goalkeeper run-parts /etc/cron.daily Date: Tue, 27 May 2008 04:17:12 +0100
/etc/cron.daily/tmpwatch:
error: failed to lstat /tmp/lost+found: Permission denied
The following policy fixes this:
policy_module(localmisc, 0.0.1)
require { type tmpreaper_t; }
# Allow tmpwatch to stat /tmp/lost+found files_getattr_lost_found_dirs(tmpreaper_t)
Paul.
That is funny because the policy has
files_dontaudit_getattr_lost_found_dirs(tmpreaper_t)
So in order to get rid of the error, we need to allow it, which seems reasonable.
Yes, the dontaudit made it that much harder to figure out what was going on but "semodule -BD" came to the rescue there.
Paul.
selinux@lists.fedoraproject.org