On Saturday 21 July 2007, Mogens Kjaer wrote:
> Mogens Kjaer wrote:
> ...
>
> > # ls -lZ /etc/rsyncd.conf
> > -rw-r--r-- root root root:object_r:etc_t /etc/rsyncd.conf
> > # ls -lZ /var/log/rsyncd.log
> > -rw-r--r-- root root root:object_r:var_log_t
> > /var/log/rsyncd.log
>
> If I reboot with selinux=disabled logging works to
> the /var/log/rsyncd.log file. If I enable selinux
> again, touch /.autorelabel and reboot, logging
> goes back to /var/log/messages.
I'm sorry for misleading you, my config wasn't as vanilla as I thought. A
colleague had done some selinux magic to enable rsync to work the way it
does.
We have a custom selinux module which looks like this (header + rsync part):
---- begin custom.te ----
policy_module(custom,1.0.4)
require {
class dir { add_name getattr lock read search write };
class file { append create getattr lock read write };
class lnk_file { getattr read };
type ftpd_t;
type httpd_sys_content_t;
type httpd_t;
type rsync_t;
type var_log_t;
role system_r;
};
allow rsync_t var_log_t:file { append getattr };
allow rsync_t httpd_sys_content_t:dir { getattr read search };
allow rsync_t httpd_sys_content_t:file { getattr read };
allow rsync_t httpd_sys_content_t:lnk_file { getattr read };
---- end custom.te ----
The key line is the "allow rsync_t var_log_t"-one. This allows rsync to write
to files /var (files there inherit var_log_t). The above is not a complete
instruction on how to get it to work but should be enough to get you started
in the right direction (unless you haven't already left selinux behind you,
hehe). You might also want to read the manpage for semodule.
/Peter
> I don't see any SELinux errors.
>
> Mogens
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
