Configuring SELINUX to allow logging to a file that's outside /var/log

Configuring SELINUX to allow logging to a file that's outside /var/log

3

1

I have a daemon that uses syslog(3) to log to a file that is not a descendant of /var/log. Currently, this requires that SELINUX be disabled. How can I configure an enabled SELINUX to allow this logging?

I am an SELINUX novice. Any guidance or advice would be appreciated.

Steve Emmerson

Posted 2013-06-13T16:33:59.690

Reputation: 241

Belongs on http://unix.stackexchange.com/

– Cory Klein – 2013-06-13T16:52:47.720

Cory, good idea. Done. Curious to see which exchange answers first. – Steve Emmerson – 2013-06-13T17:00:13.140

Answers

0

You have to change the context of your logging directory. For example you want to log into /mnt/extranal/log instead of /var/log.

So you have to set SELinux type for /mnt/external/log to var_log_t as well as the /var/log already has.

Check

ls -Z /var

with result

drwxr-xr-x. root root system_u:object_r:var_log_t:s0   log

prepare your log directory

mkdir /mnt/external/log

prepare rules for labeling FS by SELinux

semanage fcontext -a -t var_log_t /mnt/external/log

invoke relabeling of your directory

restorecon -v /mnt/external/log

if you've done, check

ls -Z /mnt/external

with result

drwxr-xr-x. root root system_u:object_r:var_log_t:s0   log

That's all if you don't use MLS/MCS policy.

See more details on

https://docs.fedoraproject.org/en-US/Fedora/12/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-SELinux_Contexts_Labeling_Files.html

https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-SELinux_Contexts_Labeling_Files-Persistent_Changes_semanage_fcontext.html

user1959366

Posted 2013-06-13T16:33:59.690

Reputation: 1

Asked: 2013-06-13T16:33:59.690

Viewed: 5 018 times

Active: 2019-12-23T00:02:05.320