Daniel J Walsh wrote:
Johnson, Richard wrote:
> Daniel J Walsh wrote:
>> The file libft_sra_alarm_server.log is being created on boot
probably
by
>> an init script or by the executable. Since the parent directory is
>> labeled var_log_t it gets that context. If you run restorecon the
> context will get set correctly.
>>
>> If all the files in this directory are supposed to be
>> system_u:object_r:lsb-ft-asn_rw_t:s0
>>
>> Then you should label
>>
>> /usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u
>> '/var/opt/ft/log(/.*)'
>>
>> If you need other files in that directory labeled differently you
might
>> want to move your log files to a subdir and label that one.
>
>
> Yes this log (among others) is created by a daemon started from an
init
> script. I will investigate moving the logs to a sub-dir. But
for
> historical and support reasons I'd prefer to leave them where they
are.
> Is there a way for the daemon to create the files with the
appropriate
> label from the get-go?
>
>1. Write a policy for this daemon so that when it created files in
>directories labeled var_log_t, it transitions to the correct context
Ah. I'm halfway down this road with a a candidate policy--which might
be how I got into this mess. But being new at it, I guess it's par for
the course. Back to the books and other docs...this time focusing on
transitions.
>2. You could have the script create the log file and run
restorecon on
>it and then have your program open and write to it.
>
>3. You could make your application SELinux aware and ask the system
how
>the log file should be labeled and then call the selinux api to
tell
the
>kernel to label it correctly.