5.9. Why can't I just give my log rotation utility write access to the directory containing my log files so it can rotate them?

You can, but it's not recommended. If someone were to break into your system, even though they couldn't modify your logs, they could rotate them enough times (by executing the log rotation utility manually) that the log containing the information gathered during the intrusion is dropped off the face of the earth. This is part of the price you pay for high security.

An alternative solution to giving your log rotation utility write access to /var/log, is to give the cron daemon write access to /var/log and make it inheritable:

lidsconf -A -s /usr/sbin/crond -i -o /var/log -j WRITE

This prevents someone from manually executing your log rotation utility, but will allow it to work when it is executed by the cron daemon. WARNING: If a vulnerability is found in your cron daemon, someone could exploit it and wipe your logs since cron would have write access to /var/log. This defeats the purpose of using MAC in the first place since your access controls can now be circumvented if a vulnerability is found. Use this option at your own discretion!

UPDATE: Because of the new time restriction feature, it is recommended that if crond has write access to /var/log, it should be limited to a specific time period. For example, if logrotated is executed every day at 6:00 AM by crond, limit crond's write access to a 1 minute window:

/sbin/lidsconf -A -s /usr/sbin/crond -i 2 -o /var/log -t 0600-0601 -j WRITE

If 1 minute isn't long enough, extend the time by 1 minute increments until logrotated is executed successfully.