[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: file contexts change on reboot

From: "Johnson, Richard" <Richard Johnson stratus com>
To: "Daniel J Walsh" <dwalsh redhat com>
Cc: fedora-selinux-list redhat com
Subject: RE: file contexts change on reboot
Date: Wed, 13 Aug 2008 15:53:22 -0400


Daniel J Walsh wrote: 
>Johnson, Richard wrote:
>> I'm not sure, but I think I'm hitting a precedence issue which is
>> causing files to be relabeled on boot.  The symptom is:
>> 
>> root lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log
>> root lstlinux57 13:32:28 ~> ls -lZ
>> /var/opt/ft/log/libft_sra_alarm_server.log 
>> -rw-------  root root system_u:object_r:lsb-ft-asn_rw_t
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> root lstlinux57 13:32:36 ~> init 6
>> root lstlinux57 13:32:40 ~> logout
>> 
>> Connection to 134.111.82.122 closed.
>> bash-3.1$ ssh 134.111.82.122 -l root
>> root 134 111 82 122's password: 
>> Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com
>> root lstlinux57 13:39:22 ~> ls -l
>>/var/opt/ft/log/libft_sra_alarm_server.log 
>> -rw-------  root root system_u:object_r:var_log_t
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> root lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log
>> root lstlinux57 13:39:45 ~> ls -lZ
>> /var/opt/ft/log/libft_sra_alarm_server.log 
>> -rw-------  root root system_u:object_r:lsb-ft-asn_rw_t
>> /var/opt/ft/log/libft_sra_alarm_server.log
>> 
>> 
>> The situation is a standard RHEL5.2 with all errata applied; plus the
[...snip for brevity...]
>
>The file libft_sra_alarm_server.log is being created on boot probably
by
>an init script or by the executable.  Since the parent directory is
>labeled var_log_t it gets that context.  If you run restorecon the
>context will get set correctly.
>
>If all the files in this directory are supposed to be
>system_u:object_r:lsb-ft-asn_rw_t:s0
>
>Then you should label
>
>  /usr/sbin/semanage fcontext -a -t   lsb-ft-asn_rw_t -s system_u
>'/var/opt/ft/log(/.*)'
>
>If you need other files in that directory labeled differently you might
>want to move your log files to a subdir and label that one.


Yes this log (among others) is created by a daemon started from an init
script.   I will investigate moving the logs to a sub-dir.  But for
historical and support reasons I'd prefer to leave them where they are.
Is there a way for the daemon to create the files with the appropriate
label from the get-go?

--rich

Follow-Ups:
- Re: file contexts change on reboot
  - From: Daniel J Walsh
- RE: file contexts change on reboot
  - From: Johnson, Richard

References:
- file contexts change on reboot
  - From: Johnson, Richard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]