Help, Selinux blocking append to named.log.

mysteron · 07-14-2008, 05:58 AM

Hi.

I've got a server which is running CentOS5 and Selinux is activated on it. I've got one problem though. Selinux is blocking append access to named.log file in /var/log/.

Bind-chroot is being used.

What should I do in order to get append access to named.log file?

ls -laZ show:

-rw-r--r-- named named system_u

bject_r:named_log_t /var/log/named.log

Extract from sealert message:

host=server.test.tld type=AVC msg=audit(1216019110.434:17676): avc: denied { append } for pid=2866 comm="named" name="named.log" dev=md1 ino=6508403 scontext=system_u:system_r:named_t:s0 tcontext=system_u

bject_r:named_conf_t:s0 tclass=file

host=server.test.tld type=SYSCALL msg=audit(1216019110.434:17676): arch=40000003 syscall=5 success=no exit=-13 a0=b3237418 a1=441 a2=1b6 a3=b3314ce8 items=0 ppid=1 pid=2866 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)

I've tried running restorecon -v 'named.log', but that did not help either.

Regards,
/mysteron

unSpawn · 07-14-2008, 07:43 AM

Running the message through 'audit2allow' suggests adding a custom rule "allow named_t s0:file append;" to your local SELinux policy.

mysteron · 07-15-2008, 07:01 AM

Quote:

Originally Posted by unSpawn

Running the message through 'audit2allow' suggests adding a custom rule "allow named_t s0:file append;" to your local SELinux policy.

Thank you for your reply. It seems that uninstalling bind-chroot also solves the log problem, but I wonder how safe it is to run bind with Selinux only protection and no chroot protection...

Found this info related to this issue with bind-chroot and logs.

/mysteron