Logging with bind-chroot

On 09/24/2009 04:43 AM, Paul Howarth wrote:

Today's update of bind in F11 suggests adding this line to
/etc/rsyslog.conf to maintain logging with a chroot-ed bind:

$AddUnixListenSocket /var/named/chroot/dev/log

For this to work on F-11, I needed to add the following policy module:

::::::::::::::
mybindchroot.fc
::::::::::::::
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)

::::::::::::::
mybindchroot.te
::::::::::::::
policy_module(mybindchroot, 0.0.4)

require {
    type syslogd_t;
}

# rsyslog needs to search the bind chroot when creating
# /dev/log in the chroot
bind_search_cache(syslogd_t)

I'd expect the same to apply in other releases too.

Paul.

-- 
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Added to Rawhide,  

Miroslav, you should add to F11.

Added to selinux-policy-3.6.12-85.fc11
--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Logging with bind-chroot

Logging with bind-chroot

Re: Logging with bind-chroot

Re: Logging with bind-chroot

	Logging with bind-chroot by Paul Howarth :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Today's update of bind in F11 suggests adding this line to /etc/rsyslog.conf to maintain logging with a chroot-ed bind: $AddUnixListenSocket /var/named/chroot/dev/log For this to work on F-11, I needed to add the following policy module: :::::::::::::: mybindchroot.fc :::::::::::::: /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) :::::::::::::: mybindchroot.te :::::::::::::: policy_module(mybindchroot, 0.0.4) require { type syslogd_t; } # rsyslog needs to search the bind chroot when creating # /dev/log in the chroot bind_search_cache(syslogd_t) I'd expect the same to apply in other releases too. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: Logging with bind-chroot by Daniel J Walsh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 09/24/2009 04:43 AM, Paul Howarth wrote: > Today's update of bind in F11 suggests adding this line to > /etc/rsyslog.conf to maintain logging with a chroot-ed bind: > > $AddUnixListenSocket /var/named/chroot/dev/log > > For this to work on F-11, I needed to add the following policy module: > > :::::::::::::: > mybindchroot.fc > :::::::::::::: > /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) > /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) > > :::::::::::::: > mybindchroot.te > :::::::::::::: > policy_module(mybindchroot, 0.0.4) > > require { > type syslogd_t; > } > > # rsyslog needs to search the bind chroot when creating > # /dev/log in the chroot > bind_search_cache(syslogd_t) > > I'd expect the same to apply in other releases too. > > Paul. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Added to Rawhide, Miroslav, you should add to F11. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: Logging with bind-chroot by Miroslav Grepl :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 09/29/2009 01:52 PM, Daniel J Walsh wrote: On 09/24/2009 04:43 AM, Paul Howarth wrote: Today's update of bind in F11 suggests adding this line to /etc/rsyslog.conf to maintain logging with a chroot-ed bind: $AddUnixListenSocket /var/named/chroot/dev/log For this to work on F-11, I needed to add the following policy module: :::::::::::::: mybindchroot.fc :::::::::::::: /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) :::::::::::::: mybindchroot.te :::::::::::::: policy_module(mybindchroot, 0.0.4) require { type syslogd_t; } # rsyslog needs to search the bind chroot when creating # /dev/log in the chroot bind_search_cache(syslogd_t) I'd expect the same to apply in other releases too. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list Added to Rawhide, Miroslav, you should add to F11. Added to selinux-policy-3.6.12-85.fc11 -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list