file contexts change on reboot

Daniel J Walsh dwalsh at redhat.com
Wed Aug 13 19:15:41 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johnson, Richard wrote:
> I'm not sure, but I think I'm hitting a precedence issue which is
> causing files to be relabeled on boot.  The symptom is:
> 
> root at lstlinux57 13:32:21 ~> restorecon -R /var/opt/ft/log
> root at lstlinux57 13:32:28 ~> ls -lZ
> /var/opt/ft/log/libft_sra_alarm_server.log 
> -rw-------  root root system_u:object_r:lsb-ft-asn_rw_t
> /var/opt/ft/log/libft_sra_alarm_server.log
> root at lstlinux57 13:32:36 ~> init 6
> root at lstlinux57 13:32:40 ~> logout
> 
> Connection to 134.111.82.122 closed.
> bash-3.1$ ssh 134.111.82.122 -l root
> root at 134.111.82.122's password: 
> Last login: Wed Aug 13 13:08:02 2008 from rjlinux2.mno.stratus.com
> root at lstlinux57 13:39:22 ~> ls -lZ
> /var/opt/ft/log/libft_sra_alarm_server.log 
> -rw-------  root root system_u:object_r:var_log_t
> /var/opt/ft/log/libft_sra_alarm_server.log
> root at lstlinux57 13:39:24 ~> restorecon -R /var/opt/ft/log
> root at lstlinux57 13:39:45 ~> ls -lZ
> /var/opt/ft/log/libft_sra_alarm_server.log 
> -rw-------  root root system_u:object_r:lsb-ft-asn_rw_t
> /var/opt/ft/log/libft_sra_alarm_server.log
> 
> 
> The situation is a standard RHEL5.2 with all errata applied; plus the
> following modifications
> 
> I have a local policy modification introduced by one rpm:
> 
>     /usr/sbin/semanage fcontext -a -t var_log_t -s system_u
> '/var/opt/ft/log'
> 
> And a separate policy module containing:
> 
>     /var/opt/ft/log/libft_.*	--
> gen_context(system_u:object_r:lsb-ft-asn_rw_t,s0)
> 
> The net result is:
> 
> root at lstlinux57 14:56:56 ~> semanage fcontext -l | grep '/opt/ft'
> 
> /var/opt/ft/asn(/.*)?                      all files
> system_u:object_r:lsb-ft-asn_rw_t:s0 
> /var/opt/ft/log/libft_.*                   regular file
> system_u:object_r:lsb-ft-asn_rw_t:s0 
> /opt/ft/sbin/sra_alarm                     regular file
> system_u:object_r:lsb-ft-asn_exec_t:s0 
> /etc/opt/ft/asn/sra_ppp/ASN_CallHome       regular file
> system_u:object_r:lsb-ft-asn_script_t:s0 
> /etc/opt/ft/asn/sra_ppp/SetUPCallHome      regular file
> system_u:object_r:lsb-ft-asn_script_t:s0 
> /var/opt/ft/log                            all files
> system_u:object_r:var_log_t:s0 
> /var/opt/ft/log/snmpd\.log                 all files
> system_u:object_r:snmpd_log_t:s0
> 
> I suspect that the problem lies with the ordering of those
> '/var/opt/ft/log' lines.  Am I on the right track?  How can I sort
> things out?
> 
> Thx,
> --rich
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The file libft_sra_alarm_server.log is being created on boot probably by
an init script or by the executable.  Since the parent directory is
labeled var_log_t it gets that context.  If you run restorecon the
context will get set correctly.

If all the files in this directory are supposed to be
system_u:object_r:lsb-ft-asn_rw_t:s0

Then you should label

  /usr/sbin/semanage fcontext -a -t   lsb-ft-asn_rw_t -s system_u
'/var/opt/ft/log(/.*)'

If you need other files in that directory labeled differently you might
want to move your log files to a subdir and label that one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkijMt0ACgkQrlYvE4MpobMcywCcCoNfb+yGutLnFOdB697NfK2q
gMwAn1AudcCj4ORA8acEa3NsM0Yj4KHd
=+wXT
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list