>> What am I doing wrong?!
>>
>
> A few things look wrong to me:
>
> $ sesearch --allow -SC -s syslogd_t -t var_log_t -c lnk_file
>
This returns no matches.
> 2. Unrelated to the above AVC denial but sure to also cause issues is
> the mislabelling of /apps/var/log/exim. This directory is labelled with
> an type reserved for unknown locations to SELinux.
>
> It means that SELinux currently has no file context specification for
> this location:
>
>
>> $ matchpathcon /apps/var/log/exim
>> /apps/var/log/exim system_u:object_r:default_t:s0
>>
>
> In Fedora 13 there is option for the semanage command called
> equivalence. This option can be used to clone file context specification.
>
> In the "man semanage" there is an example that should apply to you
> configuration:
>
>
>> For home directories under top level directory, for example /disk6/home,
>> execute the following commands.
>> # semanage fcontext -a -t home_root_t "/disk6"
>> # semanage fcontext -a -e /home /disk6/home
>> # restorecon -R -v /disk6
>>
>
> Translating the above to your scenario would look like this:
>
> sudo semanage fcontext -a -t root_t "/apps"
> sudo semanage fcontext -a -e /var /apps/var
> sudo restorecon -R -v /apps
>
> If you make sure to use similar locations in /apps are the usual /var,
> then stuff should get labelled properly.
>
>
I did just that - restorecon from /apps (recursive) seemed to restore
all permissions in that directory once I used mount (--bind) to bind
/apps/var/log to /var/log. 2 of the alerts are now gone, though I am
still getting one when I log in to the console.
kernel: type=1400 audit(1278074918.050:4): avc: denied { write } for
pid=1557 comm="login" name="log" dev=sdc ino=16386
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=dir
> This will not fix you "read var_log_t lnk_file" issue though. I would
> probably try labelling the symlink type bin_t, and see if that works.
>
>
I have just discovered this 'magical' type. I use xtunnels (voip proxy)
and was worried that I would need to define a whole new policy for it
(it 'binds' to one particular port, but then uses a whole range of
random ports 1024-65535 to connect externally) - I was dreading it, but
when I started it it did bind to the port (no alerts!) and later on I
discovered that it has a "bin_t" type. Interesting!
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
