FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-24-2008, 03:37 PM
Paul Howarth
 
Default rsyncd can't open log file, but there are no avc messages

Johnny Tan wrote:

I'm stumped.

I run a Java app called Solr, which does search indexing. My solr server
creates the index, then I have a bunch of solr clients that rsync that
index over.


The rsync itself is fine, that works. The problem is it won't write to
the appropriate logfile, which is:

/opt/solr/logs/rsyncd.log

/opt/solr/logs is a symlink to /var/log/store.

Here's how it looks:

==

[root@solr:~]# ls -l /opt/solr/
lrwxrwxrwx 1 tomcat tomcat 14 Apr 29 13:52 logs -> /var/log/store

[root@solr:~]# ls -ldZ /opt/solr/logs/
drwxr-xr-x tomcat tomcat user_ubject_r:var_log_t /opt/solr/logs/

[root@solr:~]# ls -ldZ /var/log/store
drwxr-xr-x tomcat tomcat user_ubject_r:var_log_t /var/log/store

[root@solr:~]# ls -Z /opt/solr/logs/rsyncd.log
-rw-rw-rw- tomcat tomcat user_ubject_r:var_log_t
/var/log/store/rsyncd.log


==

Note that the mode is 666 on the rsyncd.log. When a client tries to
connect, though, I get, in /var/log/messages:


Jun 24 10:15:02 solr rsyncd[19355]: rsync: failed to open log-file
/opt/solr/logs/rsyncd.log: Permission denied (13)


But there are no avc denials (no, I don't have audit package installed,
so all avc messages go to /var/log/messages -- I do get avc denials for
other things).


So, at first, I didn't think it was selinux-related, and tried to
troubleshoot general unix permissions. But got nowhere.


Then I noticed... when I put selinux in permissive mode, it works --
rsyncd properly logs to the above file. When I set it back to enforcing,
I get the above error in /var/log/messages and nothing in the
rsyncd.log, but no avc denials either.



Any ideas?


Turn off the dontaudit rules:
# semodule -DB

You should then see the AVCs and be able to generate the policy module
you need.


You can then turn back on the dontaduit rules:
# semodule -B

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-24-2008, 04:02 PM
Johnny Tan
 
Default rsyncd can't open log file, but there are no avc messages

Paul Howarth wrote:

Turn off the dontaudit rules:
# semodule -DB

You should then see the AVCs and be able to generate the policy module
you need.


You can then turn back on the dontaduit rules:
# semodule -B


I don't have dontaudit turned on to begin with. As I
mentioned, I *do* see AVCs for other selinux problems.


For this particular problem, I do *not* see AVCs. However,
when I set selinux to Permissive, it works. So I think it's
selinux-related, but there are not AVCs to give me clues.


johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-24-2008, 04:21 PM
John Dennis
 
Default rsyncd can't open log file, but there are no avc messages

Johnny Tan wrote:

Paul Howarth wrote:

Turn off the dontaudit rules:
# semodule -DB

You should then see the AVCs and be able to generate the policy
module you need.


You can then turn back on the dontaduit rules:
# semodule -B


I don't have dontaudit turned on to begin with. As I mentioned, I *do*
see AVCs for other selinux problems.
I think you're misunderstanding what dontaudit does. There are specific
policy rules which have a dontaudit flag associated with them which says
even if you are auditing don't log this particular denial. What has been
suggested is you disable those donaudit flags so you see ALL the
denials, not just those which do not currently have the dontaudit flag
set on them, which is your current situation.


--
John Dennis <jdennis@redhat.com>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-24-2008, 04:39 PM
Johnny Tan
 
Default rsyncd can't open log file, but there are no avc messages

John Dennis wrote:

Johnny Tan wrote:

Paul Howarth wrote:

Turn off the dontaudit rules:
# semodule -DB

You should then see the AVCs and be able to generate the policy
module you need.


You can then turn back on the dontaduit rules:
# semodule -B


I don't have dontaudit turned on to begin with. As I mentioned, I *do*
see AVCs for other selinux problems.
I think you're misunderstanding what dontaudit does. There are specific
policy rules which have a dontaudit flag associated with them which says
even if you are auditing don't log this particular denial.


Ok, got it. Is there a similar option for older (i.e.,
RHEL-5) versions?

policycoreutils-1.33.12-12.el5

johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-24-2008, 04:58 PM
Stephen Smalley
 
Default rsyncd can't open log file, but there are no avc messages

On Tue, 2008-06-24 at 12:39 -0400, Johnny Tan wrote:
> John Dennis wrote:
> > Johnny Tan wrote:
> >> Paul Howarth wrote:
> >>> Turn off the dontaudit rules:
> >>> # semodule -DB
> >>>
> >>> You should then see the AVCs and be able to generate the policy
> >>> module you need.
> >>>
> >>> You can then turn back on the dontaduit rules:
> >>> # semodule -B
> >>
> >> I don't have dontaudit turned on to begin with. As I mentioned, I *do*
> >> see AVCs for other selinux problems.
> > I think you're misunderstanding what dontaudit does. There are specific
> > policy rules which have a dontaudit flag associated with them which says
> > even if you are auditing don't log this particular denial.
>
> Ok, got it. Is there a similar option for older (i.e.,
> RHEL-5) versions?
> policycoreutils-1.33.12-12.el5

Not unless RH back-ported the support. But in older releases, you could
instead install an enableaudit.pp file, e.g.
semodule -b /usr/share/selinux/targeted/enableaudit.pp
<exercise system to generate AVC messages>
semodule -b /usr/share/selinux/targeted/base.pp

However that only dealt with dontaudit rules in the base module.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-07-2008, 05:01 PM
Johnny Tan
 
Default rsyncd can't open log file, but there are no avc messages

Johnny Tan wrote:

I'm stumped.

I run a Java app called Solr, which does search indexing. My solr server
creates the index, then I have a bunch of solr clients that rsync that
index over.


The rsync itself is fine, that works. The problem is it won't write to
the appropriate logfile, which is:

/opt/solr/logs/rsyncd.log

/opt/solr/logs is a symlink to /var/log/store.


A little bit more information that might help solve this...

If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
(which basically starts rsyncd), then rsyncd can write to
/opt/solr/logs/rsyncd.log with no problems.


If I put the symlink back in (to /var/log/store), then it
fails (again, with no AVC messages).


The only difference I can see between /opt/solr/logs (as a
directory) and /var/log/store is the default contexts, for
/opt/solr/logs, it's rootbject_r:usr_t, for /var/log/store
it's rootbject_r:var_log_t


When I put the symlink back, I tried changing the context of
/var/log/store to rootbject_r:usr_t to match
/opt/solr/logs, but that doesn't seem to make a difference.


Max, a list member, suggested offline that it might have to
do with type_transition, which does seem to make sense.


I tried both:
type_transition rsync_t var_log_t : file rsync_log_t;
and
type_transition rsync_t var_log_t : file usr_t;

But neither worked (I have all the appropriate allows for
those contexts).



Am I going down the right path here (type_transition)? Or
does anyone else have a suggestion in terms of how the
symlink can be used?


johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-07-2008, 10:30 PM
Paul Howarth
 
Default rsyncd can't open log file, but there are no avc messages

On Mon, 07 Jul 2008 13:01:55 -0400
Johnny Tan <linuxweb@gmail.com> wrote:

> Johnny Tan wrote:
> > I'm stumped.
> >
> > I run a Java app called Solr, which does search indexing. My solr
> > server creates the index, then I have a bunch of solr clients that
> > rsync that index over.
> >
> > The rsync itself is fine, that works. The problem is it won't write
> > to the appropriate logfile, which is:
> > /opt/solr/logs/rsyncd.log
> >
> > /opt/solr/logs is a symlink to /var/log/store.
>
> A little bit more information that might help solve this...
>
> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
> (which basically starts rsyncd), then rsyncd can write to
> /opt/solr/logs/rsyncd.log with no problems.
>
> If I put the symlink back in (to /var/log/store), then it
> fails (again, with no AVC messages).
>
> The only difference I can see between /opt/solr/logs (as a
> directory) and /var/log/store is the default contexts, for
> /opt/solr/logs, it's rootbject_r:usr_t, for /var/log/store
> it's rootbject_r:var_log_t
>
> When I put the symlink back, I tried changing the context of
> /var/log/store to rootbject_r:usr_t to match
> /opt/solr/logs, but that doesn't seem to make a difference.
>
> Max, a list member, suggested offline that it might have to
> do with type_transition, which does seem to make sense.
>
> I tried both:
> type_transition rsync_t var_log_t : file rsync_log_t;
> and
> type_transition rsync_t var_log_t : file usr_t;
>
> But neither worked (I have all the appropriate allows for
> those contexts).
>
>
> Am I going down the right path here (type_transition)? Or
> does anyone else have a suggestion in terms of how the
> symlink can be used?


Can you try this policy module:

::::::::::::::
solr.fc
::::::::::::::
/var/log/store(/.*)? gen_context(system_ubject_r:rsync_log_t,s0)

::::::::::::::
solr.te
::::::::::::::
policy_module(solr, 0.0.1)

# ================================================== ====
# Declarations
# ================================================== ====

require {
type rsync_t;
type rsync_log_t;
}

# ================================================== ====
# Solr local policy
# ================================================== ====

logging_log_file(rsync_log_t)
logging_log_filetrans(rsync_t,rsync_log_t, { file dir } )



Followed by:
# restorecon -rv /var/log/store

See if that helps.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-07-2008, 10:30 PM
Paul Howarth
 
Default rsyncd can't open log file, but there are no avc messages

On Mon, 07 Jul 2008 13:01:55 -0400
Johnny Tan <linuxweb@gmail.com> wrote:

> Johnny Tan wrote:
> > I'm stumped.
> >
> > I run a Java app called Solr, which does search indexing. My solr
> > server creates the index, then I have a bunch of solr clients that
> > rsync that index over.
> >
> > The rsync itself is fine, that works. The problem is it won't write
> > to the appropriate logfile, which is:
> > /opt/solr/logs/rsyncd.log
> >
> > /opt/solr/logs is a symlink to /var/log/store.
>
> A little bit more information that might help solve this...
>
> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
> (which basically starts rsyncd), then rsyncd can write to
> /opt/solr/logs/rsyncd.log with no problems.
>
> If I put the symlink back in (to /var/log/store), then it
> fails (again, with no AVC messages).
>
> The only difference I can see between /opt/solr/logs (as a
> directory) and /var/log/store is the default contexts, for
> /opt/solr/logs, it's rootbject_r:usr_t, for /var/log/store
> it's rootbject_r:var_log_t
>
> When I put the symlink back, I tried changing the context of
> /var/log/store to rootbject_r:usr_t to match
> /opt/solr/logs, but that doesn't seem to make a difference.
>
> Max, a list member, suggested offline that it might have to
> do with type_transition, which does seem to make sense.
>
> I tried both:
> type_transition rsync_t var_log_t : file rsync_log_t;
> and
> type_transition rsync_t var_log_t : file usr_t;
>
> But neither worked (I have all the appropriate allows for
> those contexts).
>
>
> Am I going down the right path here (type_transition)? Or
> does anyone else have a suggestion in terms of how the
> symlink can be used?


Can you try this policy module:

::::::::::::::
solr.fc
::::::::::::::
/var/log/store(/.*)? gen_context(system_ubject_r:rsync_log_t,s0)

::::::::::::::
solr.te
::::::::::::::
policy_module(solr, 0.0.1)

# ================================================== ====
# Declarations
# ================================================== ====

require {
type rsync_t;
type rsync_log_t;
}

# ================================================== ====
# Solr local policy
# ================================================== ====

logging_log_file(rsync_log_t)
logging_log_filetrans(rsync_t,rsync_log_t, { file dir } )



Followed by:
# restorecon -rv /var/log/store

See if that helps.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-08-2008, 08:36 PM
Johnny Tan
 
Default rsyncd can't open log file, but there are no avc messages

Paul Howarth wrote:

On Mon, 07 Jul 2008 13:01:55 -0400
Johnny Tan <linuxweb@gmail.com> wrote:


Johnny Tan wrote:

I'm stumped.

I run a Java app called Solr, which does search indexing. My solr
server creates the index, then I have a bunch of solr clients that
rsync that index over.

The rsync itself is fine, that works. The problem is it won't write
to the appropriate logfile, which is:
/opt/solr/logs/rsyncd.log

/opt/solr/logs is a symlink to /var/log/store.

A little bit more information that might help solve this...

If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
(which basically starts rsyncd), then rsyncd can write to
/opt/solr/logs/rsyncd.log with no problems.


If I put the symlink back in (to /var/log/store), then it
fails (again, with no AVC messages).


The only difference I can see between /opt/solr/logs (as a
directory) and /var/log/store is the default contexts, for
/opt/solr/logs, it's rootbject_r:usr_t, for /var/log/store
it's rootbject_r:var_log_t


When I put the symlink back, I tried changing the context of
/var/log/store to rootbject_r:usr_t to match
/opt/solr/logs, but that doesn't seem to make a difference.


Max, a list member, suggested offline that it might have to
do with type_transition, which does seem to make sense.


I tried both:
type_transition rsync_t var_log_t : file rsync_log_t;
and
type_transition rsync_t var_log_t : file usr_t;

But neither worked (I have all the appropriate allows for
those contexts).



Am I going down the right path here (type_transition)? Or
does anyone else have a suggestion in terms of how the
symlink can be used?



Can you try this policy module:

::::::::::::::
solr.fc
::::::::::::::
/var/log/store(/.*)? gen_context(system_ubject_r:rsync_log_t,s0)


==

# semanage fcontext -a -t rsync_log_t "/var/log/store(/.*)?"
libsepol.context_from_record: type rsync_log_t is not defined
libsepol.context_from_record: could not create context structure
libsemanage.validate_handler: invalid context
system_ubject_r:rsync_log_t:s0 specified for
/var/log/store(/.*)? [all files]

libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not add file context for
/var/log/store(/.*)?


==

It seems rsync_log_t is not defined. Can I somehow do this
without having rsync_log_t?


It works fine when I don't use a symlink, so I assume
rsync_log_t is not necessary for this to work.


But I need the symlink because I need the files to be stored
in /var/log/store, as opposed to /opt/solr/logs.


johnn

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-08-2008, 08:38 PM
Paul Howarth
 
Default rsyncd can't open log file, but there are no avc messages

On Tue, 08 Jul 2008 16:36:13 -0400
Johnny Tan <linuxweb@gmail.com> wrote:

> Paul Howarth wrote:
> > On Mon, 07 Jul 2008 13:01:55 -0400
> > Johnny Tan <linuxweb@gmail.com> wrote:
> >
> >> Johnny Tan wrote:
> >>> I'm stumped.
> >>>
> >>> I run a Java app called Solr, which does search indexing. My solr
> >>> server creates the index, then I have a bunch of solr clients that
> >>> rsync that index over.
> >>>
> >>> The rsync itself is fine, that works. The problem is it won't
> >>> write to the appropriate logfile, which is:
> >>> /opt/solr/logs/rsyncd.log
> >>>
> >>> /opt/solr/logs is a symlink to /var/log/store.
> >> A little bit more information that might help solve this...
> >>
> >> If I remove the symlink, and /opt/solr/bin/rsyncd-start runs
> >> (which basically starts rsyncd), then rsyncd can write to
> >> /opt/solr/logs/rsyncd.log with no problems.
> >>
> >> If I put the symlink back in (to /var/log/store), then it
> >> fails (again, with no AVC messages).
> >>
> >> The only difference I can see between /opt/solr/logs (as a
> >> directory) and /var/log/store is the default contexts, for
> >> /opt/solr/logs, it's rootbject_r:usr_t, for /var/log/store
> >> it's rootbject_r:var_log_t
> >>
> >> When I put the symlink back, I tried changing the context of
> >> /var/log/store to rootbject_r:usr_t to match
> >> /opt/solr/logs, but that doesn't seem to make a difference.
> >>
> >> Max, a list member, suggested offline that it might have to
> >> do with type_transition, which does seem to make sense.
> >>
> >> I tried both:
> >> type_transition rsync_t var_log_t : file rsync_log_t;
> >> and
> >> type_transition rsync_t var_log_t : file usr_t;
> >>
> >> But neither worked (I have all the appropriate allows for
> >> those contexts).
> >>
> >>
> >> Am I going down the right path here (type_transition)? Or
> >> does anyone else have a suggestion in terms of how the
> >> symlink can be used?
> >
> >
> > Can you try this policy module:
> >
> > ::::::::::::::
> > solr.fc
> > ::::::::::::::
> > /var/log/store(/.*)? gen_context(system_ubject_r:rsync_log_t,s0)
>
> ==
>
> # semanage fcontext -a -t rsync_log_t "/var/log/store(/.*)?"
> libsepol.context_from_record: type rsync_log_t is not defined
> libsepol.context_from_record: could not create context structure
> libsemanage.validate_handler: invalid context
> system_ubject_r:rsync_log_t:s0 specified for
> /var/log/store(/.*)? [all files]
> libsemanage.dbase_llist_iterate: could not iterate over records
> /usr/sbin/semanage: Could not add file context for
> /var/log/store(/.*)?
>
> ==
>
> It seems rsync_log_t is not defined. Can I somehow do this
> without having rsync_log_t?
>
> It works fine when I don't use a symlink, so I assume
> rsync_log_t is not necessary for this to work.
>
> But I need the symlink because I need the files to be stored
> in /var/log/store, as opposed to /opt/solr/logs.

I thought from earlier messages you were on RHEL 5? I've tested this
module with CentOS 5.2 and it loads just fine.

Which policy version are you using?

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 09:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org