Johnny Tan wrote:
I'm stumped.
I run a Java app called Solr, which does search indexing. My solr server
creates the index, then I have a bunch of solr clients that rsync that
index over.
The rsync itself is fine, that works. The problem is it won't write to
the appropriate logfile, which is:
/opt/solr/logs/rsyncd.log
/opt/solr/logs is a symlink to /var/log/store.
Here's how it looks:
==
[root@solr:~]# ls -l /opt/solr/
lrwxrwxrwx 1 tomcat tomcat 14 Apr 29 13:52 logs -> /var/log/store
[root@solr:~]# ls -ldZ /opt/solr/logs/
drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t /opt/solr/logs/
[root@solr:~]# ls -ldZ /var/log/store
drwxr-xr-x tomcat tomcat user_u:object_r:var_log_t /var/log/store
[root@solr:~]# ls -Z /opt/solr/logs/rsyncd.log
-rw-rw-rw- tomcat tomcat user_u:object_r:var_log_t
/var/log/store/rsyncd.log
==
Note that the mode is 666 on the rsyncd.log. When a client tries to
connect, though, I get, in /var/log/messages:
Jun 24 10:15:02 solr rsyncd[19355]: rsync: failed to open log-file
/opt/solr/logs/rsyncd.log: Permission denied (13)
But there are no avc denials (no, I don't have audit package installed,
so all avc messages go to /var/log/messages -- I do get avc denials for
other things).
So, at first, I didn't think it was selinux-related, and tried to
troubleshoot general unix permissions. But got nowhere.
Then I noticed... when I put selinux in permissive mode, it works --
rsyncd properly logs to the above file. When I set it back to enforcing,
I get the above error in /var/log/messages and nothing in the
rsyncd.log, but no avc denials either.
Any ideas?
Turn off the dontaudit rules:
# semodule -DB
You should then see the AVCs and be able to generate the policy module
you need.
You can then turn back on the dontaduit rules:
# semodule -B
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
