rsyncd can't open log file, but there are no avc messages

Paul Howarth paul at city-fan.org
Tue Jun 24 15:37:22 UTC 2008


Johnny Tan wrote:
> I'm stumped.
> 
> I run a Java app called Solr, which does search indexing. My solr server 
> creates the index, then I have a bunch of solr clients that rsync that 
> index over.
> 
> The rsync itself is fine, that works. The problem is it won't write to 
> the appropriate logfile, which is:
> /opt/solr/logs/rsyncd.log
> 
> /opt/solr/logs is a symlink to /var/log/store.
> 
> Here's how it looks:
> 
> ==
> 
> [root at solr:~]# ls -l /opt/solr/
> lrwxrwxrwx  1 tomcat tomcat   14 Apr 29 13:52 logs -> /var/log/store
> 
> [root at solr:~]# ls -ldZ /opt/solr/logs/
> drwxr-xr-x  tomcat tomcat user_u:object_r:var_log_t /opt/solr/logs/
> 
> [root at solr:~]# ls -ldZ /var/log/store
> drwxr-xr-x  tomcat tomcat user_u:object_r:var_log_t /var/log/store
> 
> [root at solr:~]# ls -Z /opt/solr/logs/rsyncd.log
> -rw-rw-rw-  tomcat tomcat user_u:object_r:var_log_t 
> /var/log/store/rsyncd.log
> 
> ==
> 
> Note that the mode is 666 on the rsyncd.log. When a client tries to 
> connect, though, I get, in /var/log/messages:
> 
> Jun 24 10:15:02 solr rsyncd[19355]: rsync: failed to open log-file 
> /opt/solr/logs/rsyncd.log: Permission denied (13)
> 
> But there are no avc denials (no, I don't have audit package installed, 
> so all avc messages go to /var/log/messages -- I do get avc denials for 
> other things).
> 
> So, at first, I didn't think it was selinux-related, and tried to 
> troubleshoot general unix permissions. But got nowhere.
> 
> Then I noticed... when I put selinux in permissive mode, it works -- 
> rsyncd properly logs to the above file. When I set it back to enforcing, 
> I get the above error in /var/log/messages and nothing in the 
> rsyncd.log, but no avc denials either.
> 
> 
> Any ideas?

Turn off the dontaudit rules:
# semodule -DB

You should then see the AVCs and be able to generate the policy module 
you need.

You can then turn back on the dontaduit rules:
# semodule -B

Paul.




More information about the fedora-selinux-list mailing list