Hi William, the access mode for the rhds logs is set in these configuration settings under cn=config: nsslapd-auditlog-mode nsslapd-errorlog-mode nsslapd-accesslog-mode I don't know whether we could use a value to just inherit from acl defined. Regards, German ----- Original Message ----- > From: "William" <william@xxxxxxxxxxxxxxx> > To: "389-users" <389-users@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Friday, February 13, 2015 1:21:25 AM > Subject: acl on logs, 389 strips effective rights mask. > > Hi, > > We have a log monitoring system that we are attempting to give access to > be able to read our dirsrv access, error, and audit logs to. We have set > the default ACL on /var/log/dirsrv/slapd-inst/ to be: > > > # file: . > # owner: nobody > # group: nobody > user::rwx > user:splunk:r-x > group::rwx #effective:r-x > mask::r-x > other::--- > default:user::rwx > default:user:splunk:r-x > default:group::rwx #effective:r-x > default:mask::r-x > default:other::--- > > > When you touch a test file it correctly inherits the ACL: > > # file: test > # owner: nobody > # group: nobody > user::rw- > user:splunk:r-x > group::rwx #effective:r-x > mask::r-x > other::--- > > However, once 389 rotates the logs the permissions are incorrectly set > to: > > > # file: access > # owner: nobody > # group: nobody > user::rw- > user:splunk:r-x #effective:--- > group::rwx #effective:--- > mask::--- > other::--- > > > IE the effective rights mask is stripped. > > I believe that there is something that is happening in the 389 log > rotation process that causes this to be stripped, I just can't identify > what. Any advice would be appreciated. > > Sincerely, > > -- > William <william@xxxxxxxxxxxxxxx> > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
