[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

bind-chroot selinux problems on log file

From: Thomas Vander Stichele <thomas apestaart org>
To: fedora-selinux-list redhat com
Subject: bind-chroot selinux problems on log file
Date: Wed, 25 Apr 2007 15:03:01 +0200

I want to take this particular bug as a way of figuring out how to "fix"
bigs and provide patches.

On FC5, with bind-chroot installed, /var/named/chroot/var/log is labeled
as
   S_Context: system_u:object_r:named_conf_t

This causes audit messages like:
audit(1177506082.955:23904): avc:  denied  { getattr } for  pid=2781
comm="named" name="debug.log" dev=dm-0 ino=2850829
scontext=root:system_r:named_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file

and the log files aren't being written to.

When I manually change files:
  chcon -R system_u:object_r:var_log_t log/

it works.

Of course, a restorecon resets to named_conf_t.

Is the best way to fix this, straight in the selinux source policy ? Or
should I create an add-on .te and load it to override ?

Thomas

Follow-Ups:
- Re: bind-chroot selinux problems on log file
  - From: Paul Howarth

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]