On Wed, 2005-03-23 at 09:54 +0100, Farkas Levente wrote:
> it seems there is no named_log_t defined in the current selinux policy
> files (both on rhel4 and fc3). it would be useful to define such even if
> the current default named don't log enything somebody (like me) would
> like to log something. and got the following errors:
File a bug against the policy, please, and next time, please post to
fedora-selinux-list.
> what more (i don't know why) when i try to relabel the log files to
> named_t i've got these errors:
> ---------------------------------
> Mar 23 09:50:54 blue kernel: audit(1111567854.706:0): avc: denied {
> relabelto } for pid=2922 exe=/usr/bin/chcon name=named-auth dev=md0
> ino=4670608 scontext=root:system_r:unconfined_t
> tcontext=root:object_r:named_t tclass=file
named_t is for the named process, not for any files (except for the
associated /proc/pid entries for the named process), which is why this
is being denied. You want log_domain(named) added to the named policy
so that a named_log_t type will be defined and used for any log files
created by named under /var/log.
--
Stephen Smalley <sds@xxxxxxxxxxxxx>
National Security Agency
