rsyncd can't open log file, but there are no avc messages
Paul Howarth
paul at city-fan.org
Tue Jul 8 21:01:55 UTC 2008
On Tue, 08 Jul 2008 16:51:24 -0400
Johnny Tan <linuxweb at gmail.com> wrote:
> Paul Howarth wrote:
> > On Tue, 08 Jul 2008 16:36:13 -0400
> > Johnny Tan <linuxweb at gmail.com> wrote:
> >
> >> Paul Howarth wrote:
> >>> On Mon, 07 Jul 2008 13:01:55 -0400
> >>> Johnny Tan <linuxweb at gmail.com> wrote:
> >>>
> >>>> Johnny Tan wrote:
> >>>>> I'm stumped.
> >>>>>
> >>>>> I run a Java app called Solr, which does search indexing. My
> >>>>> solr server creates the index, then I have a bunch of solr
> >>>>> clients that rsync that index over.
> >>>>>
> >>>>> The rsync itself is fine, that works. The problem is it won't
> >>>>> write to the appropriate logfile, which is:
> >>>>> /opt/solr/logs/rsyncd.log
> >>>>>
> >>>>> /opt/solr/logs is a symlink to /var/log/store.
> >>>> A little bit more information that might help solve this...
> >>>>
> >>>> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
> >>>> (which basically starts rsyncd), then rsyncd can write to
> >>>> /opt/solr/logs/rsyncd.log with no problems.
> >>>>
> >>>> If I put the symlink back in (to /var/log/store), then it
> >>>> fails (again, with no AVC messages).
> >>>>
> >>>> The only difference I can see between /opt/solr/logs (as a
> >>>> directory) and /var/log/store is the default contexts, for
> >>>> /opt/solr/logs, it's root:object_r:usr_t, for /var/log/store
> >>>> it's root:object_r:var_log_t
> >>>>
> >>>> When I put the symlink back, I tried changing the context of
> >>>> /var/log/store to root:object_r:usr_t to match
> >>>> /opt/solr/logs, but that doesn't seem to make a difference.
> >>>>
> >>>> Max, a list member, suggested offline that it might have to
> >>>> do with type_transition, which does seem to make sense.
> >>>>
> >>>> I tried both:
> >>>> type_transition rsync_t var_log_t : file rsync_log_t;
> >>>> and
> >>>> type_transition rsync_t var_log_t : file usr_t;
> >>>>
> >>>> But neither worked (I have all the appropriate allows for
> >>>> those contexts).
> >>>>
> >>>>
> >>>> Am I going down the right path here (type_transition)? Or
> >>>> does anyone else have a suggestion in terms of how the
> >>>> symlink can be used?
> >>>
> >>> Can you try this policy module:
> >>>
> >>> ::::::::::::::
> >>> solr.fc
> >>> ::::::::::::::
> >>> /var/log/store(/.*)? gen_context(system_u:object_r:rsync_log_t,s0)
> >> ==
> >>
> >> # semanage fcontext -a -t rsync_log_t "/var/log/store(/.*)?"
> >> libsepol.context_from_record: type rsync_log_t is not defined
> >> libsepol.context_from_record: could not create context structure
> >> libsemanage.validate_handler: invalid context
> >> system_u:object_r:rsync_log_t:s0 specified for
> >> /var/log/store(/.*)? [all files]
> >> libsemanage.dbase_llist_iterate: could not iterate over records
> >> /usr/sbin/semanage: Could not add file context for
> >> /var/log/store(/.*)?
> >>
> >> ==
> >>
> >> It seems rsync_log_t is not defined. Can I somehow do this
> >> without having rsync_log_t?
> >>
> >> It works fine when I don't use a symlink, so I assume
> >> rsync_log_t is not necessary for this to work.
> >>
> >> But I need the symlink because I need the files to be stored
> >> in /var/log/store, as opposed to /opt/solr/logs.
> >
> > I thought from earlier messages you were on RHEL 5? I've tested this
> > module with CentOS 5.2 and it loads just fine.
> >
> > Which policy version are you using?
>
> selinux-policy-2.4.6-106.el5_1.3
>
> I haven't updated yet to 5.2
Try adding the type definition to the top of the policy module (just
after the "policy_module" line):
type rsync_log_t;
logging_log_file(rsync_log_t)
Paul.
>
> johnn
>
More information about the fedora-selinux-list
mailing list