-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johnson, Richard wrote: > I'm not sure, but I think I'm hitting a precedence issue which is > causing files to be relabeled on boot. The symptom is: > > root@lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log > root@lstlinux57 13:32:28 ~> ls -lZ > /var/opt/ft/log/libft_sra_alarm_server.log > -rw------- root root system_u:object_r:lsb-ft-asn_rw_t > /var/opt/ft/log/libft_sra_alarm_server.log > root@lstlinux57 13:32:36 ~> init 6 > root@lstlinux57 13:32:40 ~> logout > > Connection to 134.111.82.122 closed. > bash-3.1$ ssh 134.111.82.122 -l root > root@xxxxxxxxxxxxxx's password: > Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com > root@lstlinux57 13:39:22 ~> ls -lZ > /var/opt/ft/log/libft_sra_alarm_server.log > -rw------- root root system_u:object_r:var_log_t > /var/opt/ft/log/libft_sra_alarm_server.log > root@lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log > root@lstlinux57 13:39:45 ~> ls -lZ > /var/opt/ft/log/libft_sra_alarm_server.log > -rw------- root root system_u:object_r:lsb-ft-asn_rw_t > /var/opt/ft/log/libft_sra_alarm_server.log > > > The situation is a standard RHEL5.2 with all errata applied; plus the > following modifications > > I have a local policy modification introduced by one rpm: > > /usr/sbin/semanage fcontext -a -t var_log_t -s system_u > '/var/opt/ft/log' > > And a separate policy module containing: > > /var/opt/ft/log/libft_.* -- > gen_context(system_u:object_r:lsb-ft-asn_rw_t,s0) > > The net result is: > > root@lstlinux57 14:56:56 ~> semanage fcontext -l | grep '/opt/ft' > > /var/opt/ft/asn(/.*)? all files > system_u:object_r:lsb-ft-asn_rw_t:s0 > /var/opt/ft/log/libft_.* regular file > system_u:object_r:lsb-ft-asn_rw_t:s0 > /opt/ft/sbin/sra_alarm regular file > system_u:object_r:lsb-ft-asn_exec_t:s0 > /etc/opt/ft/asn/sra_ppp/ASN_CallHome regular file > system_u:object_r:lsb-ft-asn_script_t:s0 > /etc/opt/ft/asn/sra_ppp/SetUPCallHome regular file > system_u:object_r:lsb-ft-asn_script_t:s0 > /var/opt/ft/log all files > system_u:object_r:var_log_t:s0 > /var/opt/ft/log/snmpd\.log all files > system_u:object_r:snmpd_log_t:s0 > > I suspect that the problem lies with the ordering of those > '/var/opt/ft/log' lines. Am I on the right track? How can I sort > things out? > > Thx, > --rich > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list The file libft_sra_alarm_server.log is being created on boot probably by an init script or by the executable. Since the parent directory is labeled var_log_t it gets that context. If you run restorecon the context will get set correctly. If all the files in this directory are supposed to be system_u:object_r:lsb-ft-asn_rw_t:s0 Then you should label /usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u '/var/opt/ft/log(/.*)' If you need other files in that directory labeled differently you might want to move your log files to a subdir and label that one. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkijMt0ACgkQrlYvE4MpobMcywCcCoNfb+yGutLnFOdB697NfK2q gMwAn1AudcCj4ORA8acEa3NsM0Yj4KHd =+wXT -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
