named log with selinux
Farkas Levente
lfarkas at bppiac.hu
Wed Mar 23 08:54:07 UTC 2005
hi,
it seems there is no named_log_t defined in the current selinux policy
files (both on rhel4 and fc3). it would be useful to define such even if
the current default named don't log enything somebody (like me) would
like to log something. and got the following errors:
---------------------------------
Mar 23 09:40:34 blue kernel: audit(1111567234.309:0): avc: denied {
search } for pid=2775 exe=/usr/sbin/named name=log dev=md0 ino=4669462
scontext=root:system_r:named_t tcontext=system_u:object_r:var_log_t
tclass=dir
Mar 23 09:40:34 blue named[2774]: logging channel 'update_log' file
'/var/log/named-update': permission denied
Mar 23 09:40:34 blue kernel: audit(1111567234.309:0): avc: denied {
search } for pid=2775 exe=/usr/sbin/named name=log dev=md0 ino=4669462
scontext=root:system_r:named_t tcontext=system_u:object_r:var_log_t
tclass=dir
Mar 23 09:40:34 blue named[2774]: logging channel 'query_log' file
'/var/log/named-query': permission denied
Mar 23 09:40:34 blue kernel: audit(1111567234.310:0): avc: denied {
search } for pid=2775 exe=/usr/sbin/named name=log dev=md0 ino=4669462
scontext=root:system_r:named_t tcontext=system_u:object_r:var_log_t
tclass=dir
Mar 23 09:40:34 blue named[2774]: logging channel 'security_log' file
'/var/log/named-auth': permission denied
---------------------------------
what more (i don't know why) when i try to relabel the log files to
named_t i've got these errors:
---------------------------------
Mar 23 09:50:54 blue kernel: audit(1111567854.706:0): avc: denied {
relabelto } for pid=2922 exe=/usr/bin/chcon name=named-auth dev=md0
ino=4670608 scontext=root:system_r:unconfined_t
tcontext=root:object_r:named_t tclass=file
Mar 23 09:50:54 blue kernel: audit(1111567854.707:0): avc: denied {
relabelto } for pid=2922 exe=/usr/bin/chcon name=named-query dev=md0
ino=4670491 scontext=root:system_r:unconfined_t
tcontext=root:object_r:named_t tclass=file
Mar 23 09:50:54 blue kernel: audit(1111567854.707:0): avc: denied {
relabelto } for pid=2922 exe=/usr/bin/chcon name=named-update dev=md0
ino=4669631 scontext=root:system_r:unconfined_t
tcontext=root:object_r:named_t tclass=file
---------------------------------
any tip?
thanks in advance.
yours.
--
Levente "Si vis pacem para bellum!"
More information about the fedora-devel-list
mailing list