file contexts change on reboot
Daniel J Walsh
dwalsh at redhat.com
Wed Aug 13 19:15:41 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Johnson, Richard wrote:
> I'm not sure, but I think I'm hitting a precedence issue which is
> causing files to be relabeled on boot. The symptom is:
>
> root at lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log
> root at lstlinux57 13:32:28 ~> ls -lZ
> /var/opt/ft/log/libft_sra_alarm_server.log
> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
> /var/opt/ft/log/libft_sra_alarm_server.log
> root at lstlinux57 13:32:36 ~> init 6
> root at lstlinux57 13:32:40 ~> logout
>
> Connection to 134.111.82.122 closed.
> bash-3.1$ ssh 134.111.82.122 -l root
> root at 134.111.82.122's password:
> Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com
> root at lstlinux57 13:39:22 ~> ls -lZ
> /var/opt/ft/log/libft_sra_alarm_server.log
> -rw------- root root system_u:object_r:var_log_t
> /var/opt/ft/log/libft_sra_alarm_server.log
> root at lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log
> root at lstlinux57 13:39:45 ~> ls -lZ
> /var/opt/ft/log/libft_sra_alarm_server.log
> -rw------- root root system_u:object_r:lsb-ft-asn_rw_t
> /var/opt/ft/log/libft_sra_alarm_server.log
>
>
> The situation is a standard RHEL5.2 with all errata applied; plus the
> following modifications
>
> I have a local policy modification introduced by one rpm:
>
> /usr/sbin/semanage fcontext -a -t var_log_t -s system_u
> '/var/opt/ft/log'
>
> And a separate policy module containing:
>
> /var/opt/ft/log/libft_.* --
> gen_context(system_u:object_r:lsb-ft-asn_rw_t,s0)
>
> The net result is:
>
> root at lstlinux57 14:56:56 ~> semanage fcontext -l | grep '/opt/ft'
>
> /var/opt/ft/asn(/.*)? all files
> system_u:object_r:lsb-ft-asn_rw_t:s0
> /var/opt/ft/log/libft_.* regular file
> system_u:object_r:lsb-ft-asn_rw_t:s0
> /opt/ft/sbin/sra_alarm regular file
> system_u:object_r:lsb-ft-asn_exec_t:s0
> /etc/opt/ft/asn/sra_ppp/ASN_CallHome regular file
> system_u:object_r:lsb-ft-asn_script_t:s0
> /etc/opt/ft/asn/sra_ppp/SetUPCallHome regular file
> system_u:object_r:lsb-ft-asn_script_t:s0
> /var/opt/ft/log all files
> system_u:object_r:var_log_t:s0
> /var/opt/ft/log/snmpd\.log all files
> system_u:object_r:snmpd_log_t:s0
>
> I suspect that the problem lies with the ordering of those
> '/var/opt/ft/log' lines. Am I on the right track? How can I sort
> things out?
>
> Thx,
> --rich
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The file libft_sra_alarm_server.log is being created on boot probably by
an init script or by the executable. Since the parent directory is
labeled var_log_t it gets that context. If you run restorecon the
context will get set correctly.
If all the files in this directory are supposed to be
system_u:object_r:lsb-ft-asn_rw_t:s0
Then you should label
/usr/sbin/semanage fcontext -a -t lsb-ft-asn_rw_t -s system_u
'/var/opt/ft/log(/.*)'
If you need other files in that directory labeled differently you might
want to move your log files to a subdir and label that one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkijMt0ACgkQrlYvE4MpobMcywCcCoNfb+yGutLnFOdB697NfK2q
gMwAn1AudcCj4ORA8acEa3NsM0Yj4KHd
=+wXT
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list