RE: file contexts change on reboot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Daniel J Walsh wrote: 
>Johnson, Richard wrote:
>> I'm not sure, but I think I'm hitting a precedence issue which is
>> causing files to be relabeled on boot.  The symptom is:
>> 
>> root@lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log
>> root@lstlinux57 13:32:28 ~> ls -lZ
>> /var/opt/ft/log/libft_sra_alarm_server.log 
>> -rw-------  root root system_u:object_r:lsb-ft-asn_rw_t
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> root@lstlinux57 13:32:36 ~> init 6
>> root@lstlinux57 13:32:40 ~> logout
>> 
>> Connection to 134.111.82.122 closed.
>> bash-3.1$ ssh 134.111.82.122 -l root
>> root@xxxxxxxxxxxxxx's password: 
>> Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com
>> root@lstlinux57 13:39:22 ~> ls -l
>>/var/opt/ft/log/libft_sra_alarm_server.log 
>> -rw-------  root root system_u:object_r:var_log_t
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> root@lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log
>> root@lstlinux57 13:39:45 ~> ls -lZ
>> /var/opt/ft/log/libft_sra_alarm_server.log 
>> -rw-------  root root system_u:object_r:lsb-ft-asn_rw_t
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> 
>> 
>> The situation is a standard RHEL5.2 with all errata applied; plus the
[...snip for brevity...]
>
>The file libft_sra_alarm_server.log is being created on boot probably
by
>an init script or by the executable.  Since the parent directory is
>labeled var_log_t it gets that context.  If you run restorecon the
>context will get set correctly.
>
>If all the files in this directory are supposed to be
>system_u:object_r:lsb-ft-asn_rw_t:s0
>
>Then you should label
>
>  /usr/sbin/semanage fcontext -a -t   lsb-ft-asn_rw_t -s system_u
>'/var/opt/ft/log(/.*)'
>
>If you need other files in that directory labeled differently you might
>want to move your log files to a subdir and label that one.


Yes this log (among others) is created by a daemon started from an init
script.   I will investigate moving the logs to a sub-dir.  But for
historical and support reasons I'd prefer to leave them where they are.
Is there a way for the daemon to create the files with the appropriate
label from the get-go?

--rich

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux