Description of problem: Running named in a chroot. Have some additional logging enabled. Getting: type=AVC msg=audit(1303259145.889:20250): avc: denied { append } for pid=5672 comm="named" name="update-debug.log" dev=dm-5 ino=935425 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file # ls -lZ /var/named/chroot/var/log -rw-r--r-- named named system_u:object_r:named_log_t named-auth.info -rw-r--r-- named named system_u:object_r:named_conf_t update-debug.log # restorecon -r -v /var/named/chroot/var/log # Version-Release number of selected component (if applicable): selinux-policy-2.4.6-300.el5
In Fedora we have matchpathcon /var/named/chroot/var/log /var/named/chroot/var/log system_u:object_r:var_log_t:s0
But: $ matchpathcon /var/named/chroot/var/log/blah /var/named/chroot/var/log/blah system_u:object_r:named_conf_t:s0 in fact, both seem the same in F15/EL5. Looks like only /var/named/chroot/var/log/named* is marked named_log_t. Seems like everything in /var/naemd/chroot/var/log/ should get marked that way though.
Fixed in selinux-policy-2.4.6-306.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html
We use the query.log for troubleshooting and ran into this error again. We rotate the query logs and keep the last four. channel query { file "/var/log/query.log" size 10m versions 3; severity info; print-severity yes; print-time yes; }; [root@ns1 log]# pwd /var/named/chroot/var/log [root@ns1 log]# restorecon * [root@ns1 log]# ls -laZ drwxrwx--- named named system_u:object_r:var_log_t . drwxr-x--- root named system_u:object_r:named_conf_t .. -rw-rw---- named named system_u:object_r:named_log_t named.log -rw-r--r-- named named system_u:object_r:named_log_t query.log -rw-r--r-- named named system_u:object_r:named_conf_t query.log.0 -rw-r--r-- named named system_u:object_r:named_conf_t query.log.1 -rw-r--r-- named named system_u:object_r:named_conf_t query.log.2 The rule apparently looks for anything in that directory starting with named or anything ending in log. [root@ns1 log]# semanage fcontext -l | grep named | grep log /var/log/named.* regular file system_u:object_r:named_log_t:s0 /var/named/chroot/var/log/(named.*|.*\.log) regular file system_u:object_r:named_log_t:s0 /var/named/chroot/var/log directory system_u:object_r:var_log_t:s0 I put this in my /etc/selinux/targeted/contexts/files/file_contexts.local file /var/named/chroot/var/log/(named.*|.*\.log.*) system_u:object_r:named_log_t:s0 And then tried again. [root@ns1 log]# pwd /var/named/chroot/var/log [root@ns1 log]# restorecon * [root@ns1 log]# ls -laZ drwxrwx--- named named system_u:object_r:var_log_t . drwxr-x--- root named system_u:object_r:named_conf_t .. -rw-rw---- named named system_u:object_r:named_log_t named.log -rw-r--r-- named named system_u:object_r:named_log_t query.log -rw-r--r-- named named system_u:object_r:named_log_t query.log.0 -rw-r--r-- named named system_u:object_r:named_log_t query.log.1 -rw-r--r-- named named system_u:object_r:named_log_t query.log.2 Seems to be much better. Thanks, Brian
RHEL6 we have /var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)