FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-24-2008, 03:09 PM
Johnny Tan
 
Default rsyncd can't open log file, but there are no avc messages

I'm stumped.

I run a Java app called Solr, which does search indexing. My
solr server creates the index, then I have a bunch of solr
clients that rsync that index over.


The rsync itself is fine, that works. The problem is it
won't write to the appropriate logfile, which is:

/opt/solr/logs/rsyncd.log

/opt/solr/logs is a symlink to /var/log/store.

Here's how it looks:

==

[root@solr:~]# ls -l /opt/solr/
lrwxrwxrwx 1 tomcat tomcat 14 Apr 29 13:52 logs ->
/var/log/store


[root@solr:~]# ls -ldZ /opt/solr/logs/
drwxr-xr-x tomcat tomcat user_ubject_r:var_log_t
/opt/solr/logs/


[root@solr:~]# ls -ldZ /var/log/store
drwxr-xr-x tomcat tomcat user_ubject_r:var_log_t
/var/log/store


[root@solr:~]# ls -Z /opt/solr/logs/rsyncd.log
-rw-rw-rw- tomcat tomcat user_ubject_r:var_log_t
/var/log/store/rsyncd.log


==

Note that the mode is 666 on the rsyncd.log. When a client
tries to connect, though, I get, in /var/log/messages:


Jun 24 10:15:02 solr rsyncd[19355]: rsync: failed to open
log-file /opt/solr/logs/rsyncd.log: Permission denied (13)


But there are no avc denials (no, I don't have audit package
installed, so all avc messages go to /var/log/messages -- I
do get avc denials for other things).


So, at first, I didn't think it was selinux-related, and
tried to troubleshoot general unix permissions. But got nowhere.


Then I noticed... when I put selinux in permissive mode, it
works -- rsyncd properly logs to the above file. When I set
it back to enforcing, I get the above error in
/var/log/messages and nothing in the rsyncd.log, but no avc
denials either.



Any ideas?

If it helps, here's how my rsyncd module looks like:
==

module solrrsync 1.0;

require {
type initrc_tmp_t;
type port_t;
type var_log_t;
type restorecon_t;
type rsync_t;
type usr_t;
class netlink_route_socket { read create bind
getattr write nlmsg_read };

class lnk_file read;
class file { read write getattr create append };
class tcp_socket { name_connect name_bind };
class dir { write add_name };
}

#============= restorecon_t ==============
allow restorecon_t initrc_tmp_t:file { read write };
allow restorecon_t usr_t:lnk_file read;
allow restorecon_t var_log_t:lnk_file read;

#============= rsync_t ==============
allow rsync_t initrc_tmp_t:file { read write };
allow rsync_t port_t:tcp_socket { name_connect name_bind };
allow rsync_t self:netlink_route_socket { read create bind
getattr write nlmsg_read };

allow rsync_t usr_t:lnk_file read;
allow rsync_t usr_t:file { read getattr };
allow rsync_t var_log_t:lnk_file read;
allow rsync_t var_log_t:dir { write add_name };
allow rsync_t var_log_t:file { read write getattr create
append };



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org