On Thu, 01 Jul 2010 23:53:42 +0100
Mr Dash Four <mr.dash.four@xxxxxxxxxxxxxx> wrote:
>
> >> type=1400 audit(1277908958.656.4): avc: denied { read } for
> >> pid=906 comm="rsyslogd" name="log" dev=dm-0 ino=16386
> >> scontext=system_u:system_r:syslogd_t:s0
> >> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
> >>
> >> There is a similar one with "mingetty" as well, but
> >> scontext=system_u:system_r:getty_t:s0
> >>
> >
> > This symlink is mislabeled. What/who created it? if you , yourself
> > created it, then you may be able to make things work by labeling the
> > symlink type bin_t or type var_log_t, provided that the source of
> > the interaction (in this case syslogd_t and getty_t) have access to
> > the target of the symlink.
> >
> Up until yesterday I used this on the real partition and it worked.
> Today, after deploying a new version I am getting the same errors
> again in addition to another (similar) error during console login:
>
> ===from dmesg as /var/log/messages does not exist as access is
> denied=== type=1400 audit(1278020473.778:4): avc: denied { read }
> for pid=914 comm="rsyslogd" name="log" dev=dm-0 ino=6188
> scontext=system_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
> type=1400 audit(1278020487.171:22): avc: denied { read } for
> pid=1007 comm="mingetty" name="log" dev=dm-0 ino=6188
> scontext=system_u:system_r:getty_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
> type=1400 audit(1278020566.762:38): avc: denied { read } for
> pid=1007 comm="login" name="log" dev=dm-0 ino=6188
> scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
> ===================================================
>
>
> here is the layout of the files/directories in question:
>
> ls -lasZ /var
> ~~~~~~~~
> lrwxrwxrwx. root root system_u:object_r:var_log_t:s0 log
> -> /apps/var/log
>
> ls -lasZ /apps
> ~~~~~~~~~
> drwx--x--x. root root system_u:object_r:var_t:s0 var
>
> ls -lasZ /apps/var
> ~~~~~~~~~~~~
> drwx--x--x. root root system_u:object_r:var_t:s0 .
> drwxr-xr-x. root root system_u:object_r:default_t:s0 ..
> drwxr-xr-x. root root system_u:object_r:var_log_t:s0 log
>
> ls -lasZ /apps/var/log
> ~~~~~~~~~~~~~~
> drwxr-xr-x. root root system_u:object_r:var_log_t:s0 .
> drwx--x--x. root root system_u:object_r:var_t:s0 ..
> -rw-r--r--. root root system_u:object_r:var_log_t:s0 dmesg
> drwxr-x---. exim exim system_u:object_r:default_t:s0 exim
> -rw-rw-r--. root utmp system_u:object_r:wtmp_t:s0 wtmp
>
>
>
> What am I doing wrong?!
Using bind mounts instead of symlinks will help.
Fix the context of /apps too:
# semanage fcontext -a -t root_t /apps
# restorecon -Fv /apps
And fix the context of /apps/var/log/*:
# semanage fcontext -a -e /var/log /apps/var/log
# restorecon -rvF /apps/var/log
Paul.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
