I am using the bind-chroot package in FC6 and am tying
to get named in the chroot to log queries and named
activity to /var/log/named/named.log (outside of the
chroot) via a logging device in the chroot /dev/log.
Selinux is preventing syslogd from creating the device
and genereating the following errors:
type=AVC msg=audit(1168359275.971:7): avc: denied {
search } for pid=1587 comm="syslogd" name="named"
dev=dm-3 ino=10704673
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:name
d_zone_t:s0 tclass=dir
type=SYSCALL msg=audit(1168359275.971:7):
arch=40000003 syscall=10 success=no exit=-13
a0=bfcacf08 a1=1b6 a2=c1e120 a3=bfcab31c items=0
ppid=1586 pid=1587 auid=4294967295 uid=0 gid=0 euid=0
suid=0 f
suid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="syslogd"
exe="/sbin/syslogd"
subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1168359275.995:8): avc: denied {
search } for pid=1587 comm="syslogd" name="named"
dev=dm-3 ino=10704673
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:name
d_zone_t:s0 tclass=dir
type=SYSCALL msg=audit(1168359275.995:8):
arch=40000003 syscall=102 success=no exit=-13 a0=2
a1=bfca8ec0 a2=c1e120 a3=bfcab31c items=0 ppid=1586
pid=1587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fs
uid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="syslogd"
exe="/sbin/syslogd"
subj=system_u:system_r:syslogd_t:s0 key=(null)
I suppose I could use audit2allow to allow this, but
am wondering why the policy was changed from FC4 to
disable this.
____________________________________________________________________________________
The fish are biting.
Get more visitors on your site using Yahoo! Search Marketing.
http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
