Paul Howarth wrote:
On Mon, 07 Jul 2008 13:01:55 -0400
Johnny Tan <linuxweb(a)gmail.com> wrote:
> Johnny Tan wrote:
>> I'm stumped.
>>
>> I run a Java app called Solr, which does search indexing. My solr
>> server creates the index, then I have a bunch of solr clients that
>> rsync that index over.
>>
>> The rsync itself is fine, that works. The problem is it won't write
>> to the appropriate logfile, which is:
>> /opt/solr/logs/rsyncd.log
>>
>> /opt/solr/logs is a symlink to /var/log/store.
> A little bit more information that might help solve this...
>
> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
> (which basically starts rsyncd), then rsyncd can write to
> /opt/solr/logs/rsyncd.log with no problems.
>
> If I put the symlink back in (to /var/log/store), then it
> fails (again, with no AVC messages).
>
> The only difference I can see between /opt/solr/logs (as a
> directory) and /var/log/store is the default contexts, for
> /opt/solr/logs, it's root:object_r:usr_t, for /var/log/store
> it's root:object_r:var_log_t
>
> When I put the symlink back, I tried changing the context of
> /var/log/store to root:object_r:usr_t to match
> /opt/solr/logs, but that doesn't seem to make a difference.
>
> Max, a list member, suggested offline that it might have to
> do with type_transition, which does seem to make sense.
>
> I tried both:
> type_transition rsync_t var_log_t : file rsync_log_t;
> and
> type_transition rsync_t var_log_t : file usr_t;
>
> But neither worked (I have all the appropriate allows for
> those contexts).
>
>
> Am I going down the right path here (type_transition)? Or
> does anyone else have a suggestion in terms of how the
> symlink can be used?
Can you try this policy module:
::::::::::::::
solr.fc
::::::::::::::
/var/log/store(/.*)? gen_context(system_u:object_r:rsync_log_t,s0)
==
# semanage fcontext -a -t rsync_log_t "/var/log/store(/.*)?"
libsepol.context_from_record: type rsync_log_t is not defined
libsepol.context_from_record: could not create context structure
libsemanage.validate_handler: invalid context
system_u:object_r:rsync_log_t:s0 specified for
/var/log/store(/.*)? [all files]
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not add file context for
/var/log/store(/.*)?
==
It seems rsync_log_t is not defined. Can I somehow do this
without having rsync_log_t?
It works fine when I don't use a symlink, so I assume
rsync_log_t is not necessary for this to work.
But I need the symlink because I need the files to be stored
in /var/log/store, as opposed to /opt/solr/logs.
johnn