Frustrating reuse of applications
Debian has a small app named “savelog” which can rotate logfiles, compressing the old versions and rotating filenames. It’s used in a couple of startup scripts and cron jobs.
The script is labeled logrotate_exec_t
in SELinux, giving it the
appropriate permissions to modify logfiles.
However, it’s also used to rotate backup files of e.g.
/var/lib/dpkg/status
; which is not a log file; the backups are
kept in /var/backups
, which is somewhat appropriate.
However, the files in the backup dir are labeled backup_store_t
,
and I’m not sure if I want all logrotate apps to be able to write there…
It would be nice if we wouldn’t have
- multiple apps for log rotation (e.g. logrotate, savelog, built-in functionality of some services like metalog)
- Cleaner separation of config files and shell scripts, so SELinux domain
transitions could be inserted easier. If you stuff a whole shell script into
/etc/cron.d/foobar
, you’re doing something really bad…