RE: file contexts change on reboot

["Johnson, Richard" <Richard Johnson stratus com>]

Daniel J Walsh wrote: 
> Johnson, Richard wrote: 
>>  Daniel J Walsh wrote: 
>>> The file libft_sra_alarm_server.log is being created on boot
probably
> by
>>> an init script or by the executable.  Since the parent directory is
>>> labeled var_log_t it gets that context.  If you run restorecon the
>> context will get set correctly.
>>>
>>> If all the files in this directory are supposed to be
>>> system_u:object_r:lsb-ft-asn_rw_t:s0
>>>
>>> Then you should label
>>>
>>>  /usr/sbin/semanage fcontext -a -t   lsb-ft-asn_rw_t -s system_u
>>> '/var/opt/ft/log(/.*)'
>>>
>>> If you need other files in that directory labeled differently you
might
>>> want to move your log files to a subdir and label that one.
>> 
>> 
>> Yes this log (among others) is created by a daemon started from an
init
>> script.   I will investigate moving the logs to a sub-dir.  But for
>> historical and support reasons I'd prefer to leave them where they
are. 
>> Is there a way for the daemon to create the files with the
appropriate
>> label from the get-go?
>>
>>1. Write a policy for this daemon so that when it created files in
>>directories labeled var_log_t, it transitions to the correct context

Ah.  I'm halfway down this road with a a candidate policy--which might
be how I got into this mess.  But being new at it, I guess it's par for
the course.  Back to the books and other docs...this time focusing on
transitions.

>>2. You could have the script create the log file and run restorecon on
>>it and then have your program open and write to it.
>>
>>3. You could make your application SELinux aware and ask the system
how
>>the log file should be labeled and then call the selinux api to tell
the
>>kernel to label it correctly.