rsyncd can't open log file, but there are no avc messages
Johnny Tan
linuxweb at gmail.com
Tue Jul 8 20:51:24 UTC 2008
Paul Howarth wrote:
> On Tue, 08 Jul 2008 16:36:13 -0400
> Johnny Tan <linuxweb at gmail.com> wrote:
>
>> Paul Howarth wrote:
>>> On Mon, 07 Jul 2008 13:01:55 -0400
>>> Johnny Tan <linuxweb at gmail.com> wrote:
>>>
>>>> Johnny Tan wrote:
>>>>> I'm stumped.
>>>>>
>>>>> I run a Java app called Solr, which does search indexing. My solr
>>>>> server creates the index, then I have a bunch of solr clients that
>>>>> rsync that index over.
>>>>>
>>>>> The rsync itself is fine, that works. The problem is it won't
>>>>> write to the appropriate logfile, which is:
>>>>> /opt/solr/logs/rsyncd.log
>>>>>
>>>>> /opt/solr/logs is a symlink to /var/log/store.
>>>> A little bit more information that might help solve this...
>>>>
>>>> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
>>>> (which basically starts rsyncd), then rsyncd can write to
>>>> /opt/solr/logs/rsyncd.log with no problems.
>>>>
>>>> If I put the symlink back in (to /var/log/store), then it
>>>> fails (again, with no AVC messages).
>>>>
>>>> The only difference I can see between /opt/solr/logs (as a
>>>> directory) and /var/log/store is the default contexts, for
>>>> /opt/solr/logs, it's root:object_r:usr_t, for /var/log/store
>>>> it's root:object_r:var_log_t
>>>>
>>>> When I put the symlink back, I tried changing the context of
>>>> /var/log/store to root:object_r:usr_t to match
>>>> /opt/solr/logs, but that doesn't seem to make a difference.
>>>>
>>>> Max, a list member, suggested offline that it might have to
>>>> do with type_transition, which does seem to make sense.
>>>>
>>>> I tried both:
>>>> type_transition rsync_t var_log_t : file rsync_log_t;
>>>> and
>>>> type_transition rsync_t var_log_t : file usr_t;
>>>>
>>>> But neither worked (I have all the appropriate allows for
>>>> those contexts).
>>>>
>>>>
>>>> Am I going down the right path here (type_transition)? Or
>>>> does anyone else have a suggestion in terms of how the
>>>> symlink can be used?
>>>
>>> Can you try this policy module:
>>>
>>> ::::::::::::::
>>> solr.fc
>>> ::::::::::::::
>>> /var/log/store(/.*)? gen_context(system_u:object_r:rsync_log_t,s0)
>> ==
>>
>> # semanage fcontext -a -t rsync_log_t "/var/log/store(/.*)?"
>> libsepol.context_from_record: type rsync_log_t is not defined
>> libsepol.context_from_record: could not create context structure
>> libsemanage.validate_handler: invalid context
>> system_u:object_r:rsync_log_t:s0 specified for
>> /var/log/store(/.*)? [all files]
>> libsemanage.dbase_llist_iterate: could not iterate over records
>> /usr/sbin/semanage: Could not add file context for
>> /var/log/store(/.*)?
>>
>> ==
>>
>> It seems rsync_log_t is not defined. Can I somehow do this
>> without having rsync_log_t?
>>
>> It works fine when I don't use a symlink, so I assume
>> rsync_log_t is not necessary for this to work.
>>
>> But I need the symlink because I need the files to be stored
>> in /var/log/store, as opposed to /opt/solr/logs.
>
> I thought from earlier messages you were on RHEL 5? I've tested this
> module with CentOS 5.2 and it loads just fine.
>
> Which policy version are you using?
selinux-policy-2.4.6-106.el5_1.3
I haven't updated yet to 5.2
johnn
More information about the fedora-selinux-list
mailing list