bloody links!

Mr Dash Four mr.dash.four at googlemail.com
Thu Jul 1 22:53:42 UTC 2010 

>> type=1400 audit(1277908958.656.4): avc: denied  { read } for pid=906
>> comm="rsyslogd" name="log" dev=dm-0 ino=16386
>> scontext=system_u:system_r:syslogd_t:s0
>> tcontext=unconfined_u:object_r:var_t:s0 tclass=lnk_file
>>
>> There is a similar one with "mingetty" as well, but
>> scontext=system_u:system_r:getty_t:s0
>>     
>
> This symlink is mislabeled. What/who created it? if you , yourself
> created it, then you may be able to make things work by labeling the
> symlink type bin_t or type var_log_t, provided that the source of the
> interaction (in this case syslogd_t and getty_t) have access to the
> target of the symlink.
>   
Up until yesterday I used this on the real partition and it worked. 
Today, after deploying a new version I am getting the same errors again 
in addition to another (similar) error during console login:

===from dmesg as /var/log/messages does not exist as access is denied===
type=1400 audit(1278020473.778:4): avc:  denied  { read } for  pid=914 
comm="rsyslogd" name="log" dev=dm-0 ino=6188 
scontext=system_u:system_r:syslogd_t:s0 
tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
type=1400 audit(1278020487.171:22): avc:  denied  { read } for  pid=1007 
comm="mingetty" name="log" dev=dm-0 ino=6188 
scontext=system_u:system_r:getty_t:s0 
tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
type=1400 audit(1278020566.762:38): avc:  denied  { read } for  pid=1007 
comm="login" name="log" dev=dm-0 ino=6188 
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file
===================================================


here is the layout of the files/directories in question:

ls -lasZ /var
~~~~~~~~
lrwxrwxrwx. root root system_u:object_r:var_log_t:s0   log -> /apps/var/log

ls -lasZ /apps
~~~~~~~~~
drwx--x--x. root    root    system_u:object_r:var_t:s0       var

ls -lasZ /apps/var
~~~~~~~~~~~~
drwx--x--x. root root system_u:object_r:var_t:s0       .
drwxr-xr-x. root root system_u:object_r:default_t:s0   ..
drwxr-xr-x. root root system_u:object_r:var_log_t:s0   log

ls -lasZ /apps/var/log
~~~~~~~~~~~~~~
drwxr-xr-x. root     root     system_u:object_r:var_log_t:s0   .
drwx--x--x. root     root     system_u:object_r:var_t:s0       ..
-rw-r--r--. root     root     system_u:object_r:var_log_t:s0   dmesg
drwxr-x---. exim     exim     system_u:object_r:default_t:s0   exim
-rw-rw-r--. root     utmp     system_u:object_r:wtmp_t:s0      wtmp



What am I doing wrong?!

More information about the selinux mailing list