Thomas Vander Stichele wrote:
I want to take this particular bug as a way of figuring out how to "fix"
bigs and provide patches.
On FC5, with bind-chroot installed, /var/named/chroot/var/log is labeled
as
S_Context: system_u:object_r:named_conf_t
This causes audit messages like:
audit(1177506082.955:23904): avc: denied { getattr } for pid=2781
comm="named" name="debug.log" dev=dm-0 ino=2850829
scontext=root:system_r:named_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
and the log files aren't being written to.
When I manually change files:
chcon -R system_u:object_r:var_log_t log/
it works.
Of course, a restorecon resets to named_conf_t.
Is the best way to fix this, straight in the selinux source policy ? Or
should I create an add-on .te and load it to override ?
Or you could do:
# semanage fcontext -a -t var_log_t '/var/named/chroot/var/log(/.*)?'
# restorecon -Rv /var/named/chroot/var/log
That would survive a policy update, relabel etc.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
