Logging with bind-chroot
Paul Howarth
paul at city-fan.org
Thu Sep 24 08:43:57 UTC 2009
Today's update of bind in F11 suggests adding this line to
/etc/rsyslog.conf to maintain logging with a chroot-ed bind:
$AddUnixListenSocket /var/named/chroot/dev/log
For this to work on F-11, I needed to add the following policy module:
::::::::::::::
mybindchroot.fc
::::::::::::::
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
::::::::::::::
mybindchroot.te
::::::::::::::
policy_module(mybindchroot, 0.0.4)
require {
type syslogd_t;
}
# rsyslog needs to search the bind chroot when creating
# /dev/log in the chroot
bind_search_cache(syslogd_t)
I'd expect the same to apply in other releases too.
Paul.
More information about the fedora-selinux-list
mailing list