Karsten Wade wrote:
/.autorelabel will only get created when switching from one type of policy to another (strict <--> targeted)On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
chcon -R -t httpd_log_t /var/www/*/logs/*
service httpd start
BTW, if this works, you'll want to do something to make the change permanent. Otherwise, the next running of restorecon will hose your configuration.
Two options jump to mind:
* Move the logs into a path that will receive httpd_log_t, i.e., /var/logs/httpd/
* Install the policy sources (yum install selinux-policy-targeted-sources), and do the following:
1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
2. Add this line: /var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make load'. This will build and load the new policy directly into memory.
4. If you now do restorecon, the /var/www/*/logs directories should get the proper context.
Be aware that if you make another change to SELinux, especially using
system-config-securitylevel, the file /.autorelabel may get created. That triggers a relabeling on reboot, and may hose any manual
customizations not fixed in policy.
- Karsten
Looking back on this chain, it seems that if he had httpd_unified set it should have been able to write to the log files anyways,
This might be a bug in policy?
