On Mon, 07 Jul 2008 13:01:55 -0400
Johnny Tan <linuxweb@xxxxxxxxx> wrote:
> Johnny Tan wrote:
> > I'm stumped.
> >
> > I run a Java app called Solr, which does search indexing. My solr
> > server creates the index, then I have a bunch of solr clients that
> > rsync that index over.
> >
> > The rsync itself is fine, that works. The problem is it won't write
> > to the appropriate logfile, which is:
> > /opt/solr/logs/rsyncd.log
> >
> > /opt/solr/logs is a symlink to /var/log/store.
>
> A little bit more information that might help solve this...
>
> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
> (which basically starts rsyncd), then rsyncd can write to
> /opt/solr/logs/rsyncd.log with no problems.
>
> If I put the symlink back in (to /var/log/store), then it
> fails (again, with no AVC messages).
>
> The only difference I can see between /opt/solr/logs (as a
> directory) and /var/log/store is the default contexts, for
> /opt/solr/logs, it's root:object_r:usr_t, for /var/log/store
> it's root:object_r:var_log_t
>
> When I put the symlink back, I tried changing the context of
> /var/log/store to root:object_r:usr_t to match
> /opt/solr/logs, but that doesn't seem to make a difference.
>
> Max, a list member, suggested offline that it might have to
> do with type_transition, which does seem to make sense.
>
> I tried both:
> type_transition rsync_t var_log_t : file rsync_log_t;
> and
> type_transition rsync_t var_log_t : file usr_t;
>
> But neither worked (I have all the appropriate allows for
> those contexts).
>
>
> Am I going down the right path here (type_transition)? Or
> does anyone else have a suggestion in terms of how the
> symlink can be used?
Can you try this policy module:
::::::::::::::
solr.fc
::::::::::::::
/var/log/store(/.*)? gen_context(system_u:object_r:rsync_log_t,s0)
::::::::::::::
solr.te
::::::::::::::
policy_module(solr, 0.0.1)
# ======================================================
# Declarations
# ======================================================
require {
type rsync_t;
type rsync_log_t;
}
# ======================================================
# Solr local policy
# ======================================================
logging_log_file(rsync_log_t)
logging_log_filetrans(rsync_t,rsync_log_t, { file dir } )
Followed by:
# restorecon -rv /var/log/store
See if that helps.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
