rsyncd can't open log file, but there are no avc messages
Paul Howarth
paul at city-fan.org
Tue Jul 8 20:38:42 UTC 2008
On Tue, 08 Jul 2008 16:36:13 -0400
Johnny Tan <linuxweb at gmail.com> wrote:
> Paul Howarth wrote:
> > On Mon, 07 Jul 2008 13:01:55 -0400
> > Johnny Tan <linuxweb at gmail.com> wrote:
> >
> >> Johnny Tan wrote:
> >>> I'm stumped.
> >>>
> >>> I run a Java app called Solr, which does search indexing. My solr
> >>> server creates the index, then I have a bunch of solr clients that
> >>> rsync that index over.
> >>>
> >>> The rsync itself is fine, that works. The problem is it won't
> >>> write to the appropriate logfile, which is:
> >>> /opt/solr/logs/rsyncd.log
> >>>
> >>> /opt/solr/logs is a symlink to /var/log/store.
> >> A little bit more information that might help solve this...
> >>
> >> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
> >> (which basically starts rsyncd), then rsyncd can write to
> >> /opt/solr/logs/rsyncd.log with no problems.
> >>
> >> If I put the symlink back in (to /var/log/store), then it
> >> fails (again, with no AVC messages).
> >>
> >> The only difference I can see between /opt/solr/logs (as a
> >> directory) and /var/log/store is the default contexts, for
> >> /opt/solr/logs, it's root:object_r:usr_t, for /var/log/store
> >> it's root:object_r:var_log_t
> >>
> >> When I put the symlink back, I tried changing the context of
> >> /var/log/store to root:object_r:usr_t to match
> >> /opt/solr/logs, but that doesn't seem to make a difference.
> >>
> >> Max, a list member, suggested offline that it might have to
> >> do with type_transition, which does seem to make sense.
> >>
> >> I tried both:
> >> type_transition rsync_t var_log_t : file rsync_log_t;
> >> and
> >> type_transition rsync_t var_log_t : file usr_t;
> >>
> >> But neither worked (I have all the appropriate allows for
> >> those contexts).
> >>
> >>
> >> Am I going down the right path here (type_transition)? Or
> >> does anyone else have a suggestion in terms of how the
> >> symlink can be used?
> >
> >
> > Can you try this policy module:
> >
> > ::::::::::::::
> > solr.fc
> > ::::::::::::::
> > /var/log/store(/.*)? gen_context(system_u:object_r:rsync_log_t,s0)
>
> ==
>
> # semanage fcontext -a -t rsync_log_t "/var/log/store(/.*)?"
> libsepol.context_from_record: type rsync_log_t is not defined
> libsepol.context_from_record: could not create context structure
> libsemanage.validate_handler: invalid context
> system_u:object_r:rsync_log_t:s0 specified for
> /var/log/store(/.*)? [all files]
> libsemanage.dbase_llist_iterate: could not iterate over records
> /usr/sbin/semanage: Could not add file context for
> /var/log/store(/.*)?
>
> ==
>
> It seems rsync_log_t is not defined. Can I somehow do this
> without having rsync_log_t?
>
> It works fine when I don't use a symlink, so I assume
> rsync_log_t is not necessary for this to work.
>
> But I need the symlink because I need the files to be stored
> in /var/log/store, as opposed to /opt/solr/logs.
I thought from earlier messages you were on RHEL 5? I've tested this
module with CentOS 5.2 and it loads just fine.
Which policy version are you using?
Paul.
More information about the fedora-selinux-list
mailing list