bind-chroot selinux problems on log file
Paul Howarth
paul at city-fan.org
Wed Apr 25 13:12:02 UTC 2007
Thomas Vander Stichele wrote:
> I want to take this particular bug as a way of figuring out how to "fix"
> bigs and provide patches.
>
> On FC5, with bind-chroot installed, /var/named/chroot/var/log is labeled
> as
> S_Context: system_u:object_r:named_conf_t
>
> This causes audit messages like:
> audit(1177506082.955:23904): avc: denied { getattr } for pid=2781
> comm="named" name="debug.log" dev=dm-0 ino=2850829
> scontext=root:system_r:named_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=file
>
> and the log files aren't being written to.
>
> When I manually change files:
> chcon -R system_u:object_r:var_log_t log/
>
> it works.
>
> Of course, a restorecon resets to named_conf_t.
>
> Is the best way to fix this, straight in the selinux source policy ? Or
> should I create an add-on .te and load it to override ?
Or you could do:
# semanage fcontext -a -t var_log_t '/var/named/chroot/var/log(/.*)?'
# restorecon -Rv /var/named/chroot/var/log
That would survive a policy update, relabel etc.
Paul.
More information about the selinux
mailing list