On Thu, 01 Jul 2010 23:53:42 +0100
Mr Dash Four <mr.dash.four(a)googlemail.com> wrote:
>> type=1400 audit(1277908958.656.4): avc: denied { read } for
>> pid=906 comm="rsyslogd" name="log" dev=dm-0 ino=16386
>> scontext=system_u:system_r:syslogd_t:s0
>> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
>>
>> There is a similar one with "mingetty" as well, but
>> scontext=system_u:system_r:getty_t:s0
>>
>
> This symlink is mislabeled. What/who created it? if you , yourself
> created it, then you may be able to make things work by labeling the
> symlink type bin_t or type var_log_t, provided that the source of
> the interaction (in this case syslogd_t and getty_t) have access to
> the target of the symlink.
>
Up until yesterday I used this on the real partition and it worked.
Today, after deploying a new version I am getting the same errors
again in addition to another (similar) error during console login:
===from dmesg as /var/log/messages does not exist as access is
denied=== type=1400 audit(1278020473.778:4): avc: denied { read }
for pid=914 comm="rsyslogd" name="log" dev=dm-0 ino=6188
scontext=system_u:system_r:syslogd_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
type=1400 audit(1278020487.171:22): avc: denied { read } for
pid=1007 comm="mingetty" name="log" dev=dm-0 ino=6188
scontext=system_u:system_r:getty_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
type=1400 audit(1278020566.762:38): avc: denied { read } for
pid=1007 comm="login" name="log" dev=dm-0 ino=6188
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
===================================================
here is the layout of the files/directories in question:
ls -lasZ /var
~~~~~~~~
lrwxrwxrwx. root root system_u:object_r:var_log_t:s0 log
-> /apps/var/log
ls -lasZ /apps
~~~~~~~~~
drwx--x--x. root root system_u:object_r:var_t:s0 var
ls -lasZ /apps/var
~~~~~~~~~~~~
drwx--x--x. root root system_u:object_r:var_t:s0 .
drwxr-xr-x. root root system_u:object_r:default_t:s0 ..
drwxr-xr-x. root root system_u:object_r:var_log_t:s0 log
ls -lasZ /apps/var/log
~~~~~~~~~~~~~~
drwxr-xr-x. root root system_u:object_r:var_log_t:s0 .
drwx--x--x. root root system_u:object_r:var_t:s0 ..
-rw-r--r--. root root system_u:object_r:var_log_t:s0 dmesg
drwxr-x---. exim exim system_u:object_r:default_t:s0 exim
-rw-rw-r--. root utmp system_u:object_r:wtmp_t:s0 wtmp
What am I doing wrong?!
Using bind mounts instead of symlinks will help.
Fix the context of /apps too:
# semanage fcontext -a -t root_t /apps
# restorecon -Fv /apps
And fix the context of /apps/var/log/*:
# semanage fcontext -a -e /var/log /apps/var/log
# restorecon -rvF /apps/var/log
Paul.