I had to make a new SELinux policy to allow logrotate to handle OSSEC-logs. This is a good methodology to not have to make the policy piecemeal(normally code stops at the first operation that fails so you have to run things once for each type of operation that needs fixing):
setenforce 0
systemctl restart logrotate
ausearch -ts today | tail -1000 | audit2allow -m logrotateossec2.te
vim logrotateossec2.te
checkmodule -M -m -o logrotateossec2.mod logrotateossec2.te
semodule_package -o logrotateossec2.pp -m logrotateossec2.mod
semodule -i logrotateossec2.pp
setenforce 1
systemctl restart logrotateThe full logrotate2.te:
module logrotateossec2 1.0;
require {
type logrotate_t;
type var_t;
class dir { add_name read remove_name write };
class file { create rename setattr write };
}
#============= logrotate_t ==============
allow logrotate_t var_t:dir { add_name read remove_name write };
allow logrotate_t var_t:file { create rename setattr write };I’m starting to understand the format of these files bit by bit.