On Mon, 07 Jul 2008 13:01:55 -0400 Johnny Tan linuxweb@gmail.com wrote:
Johnny Tan wrote:
I'm stumped.
I run a Java app called Solr, which does search indexing. My solr server creates the index, then I have a bunch of solr clients that rsync that index over.
The rsync itself is fine, that works. The problem is it won't write to the appropriate logfile, which is: /opt/solr/logs/rsyncd.log
/opt/solr/logs is a symlink to /var/log/store.
A little bit more information that might help solve this...
If I remove the symlink, and /opt/solr/bin/rsyncd-start runs (which basically starts rsyncd), then rsyncd can write to /opt/solr/logs/rsyncd.log with no problems.
If I put the symlink back in (to /var/log/store), then it fails (again, with no AVC messages).
The only difference I can see between /opt/solr/logs (as a directory) and /var/log/store is the default contexts, for /opt/solr/logs, it's root:object_r:usr_t, for /var/log/store it's root:object_r:var_log_t
When I put the symlink back, I tried changing the context of /var/log/store to root:object_r:usr_t to match /opt/solr/logs, but that doesn't seem to make a difference.
Max, a list member, suggested offline that it might have to do with type_transition, which does seem to make sense.
I tried both: type_transition rsync_t var_log_t : file rsync_log_t; and type_transition rsync_t var_log_t : file usr_t;
But neither worked (I have all the appropriate allows for those contexts).
Am I going down the right path here (type_transition)? Or does anyone else have a suggestion in terms of how the symlink can be used?
Can you try this policy module:
:::::::::::::: solr.fc :::::::::::::: /var/log/store(/.*)? gen_context(system_u:object_r:rsync_log_t,s0)
:::::::::::::: solr.te :::::::::::::: policy_module(solr, 0.0.1)
# ====================================================== # Declarations # ======================================================
require { type rsync_t; type rsync_log_t; }
# ====================================================== # Solr local policy # ======================================================
logging_log_file(rsync_log_t) logging_log_filetrans(rsync_t,rsync_log_t, { file dir } )
Followed by: # restorecon -rv /var/log/store
See if that helps.
Paul.