Debian has a small app named “savelog” which can rotate logfiles, compressing the old versions and rotating filenames. It’s used in a couple of startup scripts and cron jobs.

The script is labeled logrotate_exec_t in SELinux, giving it the appropriate permissions to modify logfiles.

However, it’s also used to rotate backup files of e.g. /var/lib/dpkg/status; which is not a log file; the backups are kept in /var/backups, which is somewhat appropriate.

However, the files in the backup dir are labeled backup_store_t, and I’m not sure if I want all logrotate apps to be able to write there…

It would be nice if we wouldn’t have

  • multiple apps for log rotation (e.g. logrotate, savelog, built-in functionality of some services like metalog)
  • Cleaner separation of config files and shell scripts, so SELinux domain transitions could be inserted easier. If you stuff a whole shell script into /etc/cron.d/foobar, you’re doing something really bad…