-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johnson, Richard wrote: > > Daniel J Walsh wrote: >> Johnson, Richard wrote: >>> I'm not sure, but I think I'm hitting a precedence issue which is >>> causing files to be relabeled on boot. The symptom is: >>> >>> root@lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log >>> root@lstlinux57 13:32:28 ~> ls -lZ >>> /var/opt/ft/log/libft_sra_alarm_server.log >>> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t >>> /var/opt/ft/log/libft_sra_alarm_server.log >>> root@lstlinux57 13:32:36 ~> init 6 >>> root@lstlinux57 13:32:40 ~> logout >>> >>> Connection to 134.111.82.122 closed. >>> bash-3.1$ ssh 134.111.82.122 -l root >>> root@xxxxxxxxxxxxxx's password: >>> Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com >>> root@lstlinux57 13:39:22 ~> ls -l >>> /var/opt/ft/log/libft_sra_alarm_server.log >>> -rw------- root root system_u:object_r:var_log_t >>> /var/opt/ft/log/libft_sra_alarm_server.log >>> root@lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log >>> root@lstlinux57 13:39:45 ~> ls -lZ >>> /var/opt/ft/log/libft_sra_alarm_server.log >>> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t >>> /var/opt/ft/log/libft_sra_alarm_server.log >>> >>> >>> The situation is a standard RHEL5.2 with all errata applied; plus the > [...snip for brevity...] >> The file libft_sra_alarm_server.log is being created on boot probably > by >> an init script or by the executable. Since the parent directory is >> labeled var_log_t it gets that context. If you run restorecon the >> context will get set correctly. >> >> If all the files in this directory are supposed to be >> system_u:object_r:lsb-ft-asn_rw_t:s0 >> >> Then you should label >> >> /usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u >> '/var/opt/ft/log(/.*)' >> >> If you need other files in that directory labeled differently you might >> want to move your log files to a subdir and label that one. > > > Yes this log (among others) is created by a daemon started from an init > script. I will investigate moving the logs to a sub-dir. But for > historical and support reasons I'd prefer to leave them where they are. > Is there a way for the daemon to create the files with the appropriate > label from the get-go? > > --rich Yes, you have three choices. 1. Write a policy for this daemon so that when it created files in directories labeled var_log_t, it transitions to the correct context 2. You could have the script create the log file and run restorecon on it and then have your program open and write to it. 3. You could make your application SELinux aware and ask the system how the log file should be labeled and then call the selinux api to tell the kernel to label it correctly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkijP98ACgkQrlYvE4MpobNrTwCgmczJF2zoLn8GsvV0/2CUld67 GyEAmgPcBAXVKaKJcO4+zU6yodH5V9A6 =4BN7 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
