file contexts change on reboot
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 13 20:11:11 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johnson, Richard wrote:
>
> Daniel J Walsh wrote:
>> Johnson, Richard wrote:
>>> I'm not sure, but I think I'm hitting a precedence issue which is
>>> causing files to be relabeled on boot. The symptom is:
>>>
>>> root at lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log
>>> root at lstlinux57 13:32:28 ~> ls -lZ
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> root at lstlinux57 13:32:36 ~> init 6
>>> root at lstlinux57 13:32:40 ~> logout
>>>
>>> Connection to 134.111.82.122 closed.
>>> bash-3.1$ ssh 134.111.82.122 -l root
>>> root at 134.111.82.122's password:
>>> Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com
>>> root at lstlinux57 13:39:22 ~> ls -l
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> -rw------- root root system_u:object_r:var_log_t
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> root at lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log
>>> root at lstlinux57 13:39:45 ~> ls -lZ
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
>>> /var/opt/ft/log/libft_sra_alarm_server.log
>>>
>>>
>>> The situation is a standard RHEL5.2 with all errata applied; plus the
> [...snip for brevity...]
>> The file libft_sra_alarm_server.log is being created on boot probably
> by
>> an init script or by the executable. Since the parent directory is
>> labeled var_log_t it gets that context. If you run restorecon the
>> context will get set correctly.
>>
>> If all the files in this directory are supposed to be
>> system_u:object_r:lsb-ft-asn_rw_t:s0
>>
>> Then you should label
>>
>> /usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u
>> '/var/opt/ft/log(/.*)'
>>
>> If you need other files in that directory labeled differently you might
>> want to move your log files to a subdir and label that one.
>
>
> Yes this log (among others) is created by a daemon started from an init
> script. I will investigate moving the logs to a sub-dir. But for
> historical and support reasons I'd prefer to leave them where they are.
> Is there a way for the daemon to create the files with the appropriate
> label from the get-go?
>
> --rich
Yes, you have three choices.
1. Write a policy for this daemon so that when it created files in
directories labeled var_log_t, it transitions to the correct context
2. You could have the script create the log file and run restorecon on
it and then have your program open and write to it.
3. You could make your application SELinux aware and ask the system how
the log file should be labeled and then call the selinux api to tell the
kernel to label it correctly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkijP98ACgkQrlYvE4MpobNrTwCgmczJF2zoLn8GsvV0/2CUld67
GyEAmgPcBAXVKaKJcO4+zU6yodH5V9A6
=4BN7
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list