rsyncd can't open log file, but there are no avc messages

Paul Howarth paul at city-fan.org
Mon Jul 7 22:30:17 UTC 2008 

On Mon, 07 Jul 2008 13:01:55 -0400
Johnny Tan <linuxweb at gmail.com> wrote:

> Johnny Tan wrote:
> > I'm stumped.
> > 
> > I run a Java app called Solr, which does search indexing. My solr
> > server creates the index, then I have a bunch of solr clients that
> > rsync that index over.
> > 
> > The rsync itself is fine, that works. The problem is it won't write
> > to the appropriate logfile, which is:
> > /opt/solr/logs/rsyncd.log
> > 
> > /opt/solr/logs is a symlink to /var/log/store.
> 
> A little bit more information that might help solve this...
> 
> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs 
> (which basically starts rsyncd), then rsyncd can write to 
> /opt/solr/logs/rsyncd.log with no problems.
> 
> If I put the symlink back in (to /var/log/store), then it 
> fails (again, with no AVC messages).
> 
> The only difference I can see between /opt/solr/logs (as a 
> directory) and /var/log/store is the default contexts, for 
> /opt/solr/logs, it's root:object_r:usr_t, for /var/log/store 
> it's root:object_r:var_log_t
> 
> When I put the symlink back, I tried changing the context of 
> /var/log/store to root:object_r:usr_t to match 
> /opt/solr/logs, but that doesn't seem to make a difference.
> 
> Max, a list member, suggested offline that it might have to 
> do with type_transition, which does seem to make sense.
> 
> I tried both:
> type_transition rsync_t var_log_t : file rsync_log_t;
> and
> type_transition rsync_t var_log_t : file usr_t;
> 
> But neither worked (I have all the appropriate allows for 
> those contexts).
> 
> 
> Am I going down the right path here (type_transition)? Or 
> does anyone else have a suggestion in terms of how the 
> symlink can be used?


Can you try this policy module:

::::::::::::::
solr.fc
::::::::::::::
/var/log/store(/.*)? gen_context(system_u:object_r:rsync_log_t,s0)

::::::::::::::
solr.te
::::::::::::::
policy_module(solr, 0.0.1)

# ======================================================
# Declarations
# ======================================================

require {
	type rsync_t;
	type rsync_log_t;
}

# ======================================================
# Solr local policy
# ======================================================

logging_log_file(rsync_log_t)
logging_log_filetrans(rsync_t,rsync_log_t, { file dir } )



Followed by:
# restorecon -rv /var/log/store

See if that helps.

Paul.

More information about the fedora-selinux-list mailing list