On Tue, 08 Jul 2008 16:51:24 -0400 Johnny Tan <linuxweb@xxxxxxxxx> wrote: > Paul Howarth wrote: > > On Tue, 08 Jul 2008 16:36:13 -0400 > > Johnny Tan <linuxweb@xxxxxxxxx> wrote: > > > >> Paul Howarth wrote: > >>> On Mon, 07 Jul 2008 13:01:55 -0400 > >>> Johnny Tan <linuxweb@xxxxxxxxx> wrote: > >>> > >>>> Johnny Tan wrote: > >>>>> I'm stumped. > >>>>> > >>>>> I run a Java app called Solr, which does search indexing. My > >>>>> solr server creates the index, then I have a bunch of solr > >>>>> clients that rsync that index over. > >>>>> > >>>>> The rsync itself is fine, that works. The problem is it won't > >>>>> write to the appropriate logfile, which is: > >>>>> /opt/solr/logs/rsyncd.log > >>>>> > >>>>> /opt/solr/logs is a symlink to /var/log/store. > >>>> A little bit more information that might help solve this... > >>>> > >>>> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs > >>>> (which basically starts rsyncd), then rsyncd can write to > >>>> /opt/solr/logs/rsyncd.log with no problems. > >>>> > >>>> If I put the symlink back in (to /var/log/store), then it > >>>> fails (again, with no AVC messages). > >>>> > >>>> The only difference I can see between /opt/solr/logs (as a > >>>> directory) and /var/log/store is the default contexts, for > >>>> /opt/solr/logs, it's root:object_r:usr_t, for /var/log/store > >>>> it's root:object_r:var_log_t > >>>> > >>>> When I put the symlink back, I tried changing the context of > >>>> /var/log/store to root:object_r:usr_t to match > >>>> /opt/solr/logs, but that doesn't seem to make a difference. > >>>> > >>>> Max, a list member, suggested offline that it might have to > >>>> do with type_transition, which does seem to make sense. > >>>> > >>>> I tried both: > >>>> type_transition rsync_t var_log_t : file rsync_log_t; > >>>> and > >>>> type_transition rsync_t var_log_t : file usr_t; > >>>> > >>>> But neither worked (I have all the appropriate allows for > >>>> those contexts). > >>>> > >>>> > >>>> Am I going down the right path here (type_transition)? Or > >>>> does anyone else have a suggestion in terms of how the > >>>> symlink can be used? > >>> > >>> Can you try this policy module: > >>> > >>> :::::::::::::: > >>> solr.fc > >>> :::::::::::::: > >>> /var/log/store(/.*)? gen_context(system_u:object_r:rsync_log_t,s0) > >> == > >> > >> # semanage fcontext -a -t rsync_log_t "/var/log/store(/.*)?" > >> libsepol.context_from_record: type rsync_log_t is not defined > >> libsepol.context_from_record: could not create context structure > >> libsemanage.validate_handler: invalid context > >> system_u:object_r:rsync_log_t:s0 specified for > >> /var/log/store(/.*)? [all files] > >> libsemanage.dbase_llist_iterate: could not iterate over records > >> /usr/sbin/semanage: Could not add file context for > >> /var/log/store(/.*)? > >> > >> == > >> > >> It seems rsync_log_t is not defined. Can I somehow do this > >> without having rsync_log_t? > >> > >> It works fine when I don't use a symlink, so I assume > >> rsync_log_t is not necessary for this to work. > >> > >> But I need the symlink because I need the files to be stored > >> in /var/log/store, as opposed to /opt/solr/logs. > > > > I thought from earlier messages you were on RHEL 5? I've tested this > > module with CentOS 5.2 and it loads just fine. > > > > Which policy version are you using? > > selinux-policy-2.4.6-106.el5_1.3 > > I haven't updated yet to 5.2 Try adding the type definition to the top of the policy module (just after the "policy_module" line): type rsync_log_t; logging_log_file(rsync_log_t) Paul. > > johnn > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
