Daniel J Walsh wrote: > Johnson, Richard wrote: >> Daniel J Walsh wrote: >>> The file libft_sra_alarm_server.log is being created on boot probably > by >>> an init script or by the executable. Since the parent directory is >>> labeled var_log_t it gets that context. If you run restorecon the >> context will get set correctly. >>> >>> If all the files in this directory are supposed to be >>> system_u:object_r:lsb-ft-asn_rw_t:s0 >>> >>> Then you should label >>> >>> /usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u >>> '/var/opt/ft/log(/.*)' >>> >>> If you need other files in that directory labeled differently you might >>> want to move your log files to a subdir and label that one. >> >> >> Yes this log (among others) is created by a daemon started from an init >> script. I will investigate moving the logs to a sub-dir. But for >> historical and support reasons I'd prefer to leave them where they are. >> Is there a way for the daemon to create the files with the appropriate >> label from the get-go? >> >>1. Write a policy for this daemon so that when it created files in >>directories labeled var_log_t, it transitions to the correct context Ah. I'm halfway down this road with a a candidate policy--which might be how I got into this mess. But being new at it, I guess it's par for the course. Back to the books and other docs...this time focusing on transitions. >>2. You could have the script create the log file and run restorecon on >>it and then have your program open and write to it. >> >>3. You could make your application SELinux aware and ask the system how >>the log file should be labeled and then call the selinux api to tell the >>kernel to label it correctly. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
