> What am I doing wrong?!
>
A few things look wrong to me:
$ sesearch --allow -SC -s syslogd_t -t var_log_t -c lnk_file
This returns no matches.
2. Unrelated to the above AVC denial but sure to also cause issues
is
the mislabelling of /apps/var/log/exim. This directory is labelled with
an type reserved for unknown locations to SELinux.
It means that SELinux currently has no file context specification for
this location:
> $ matchpathcon /apps/var/log/exim
> /apps/var/log/exim system_u:object_r:default_t:s0
>
In Fedora 13 there is option for the semanage command called
equivalence. This option can be used to clone file context specification.
In the "man semanage" there is an example that should apply to you
configuration:
> For home directories under top level directory, for example /disk6/home,
> execute the following commands.
> # semanage fcontext -a -t home_root_t "/disk6"
> # semanage fcontext -a -e /home /disk6/home
> # restorecon -R -v /disk6
>
Translating the above to your scenario would look like this:
sudo semanage fcontext -a -t root_t "/apps"
sudo semanage fcontext -a -e /var /apps/var
sudo restorecon -R -v /apps
If you make sure to use similar locations in /apps are the usual /var,
then stuff should get labelled properly.
I did just that - restorecon from /apps (recursive) seemed to restore
all permissions in that directory once I used mount (--bind) to bind
/apps/var/log to /var/log. 2 of the alerts are now gone, though I am
still getting one when I log in to the console.
kernel: type=1400 audit(1278074918.050:4): avc: denied { write } for
pid=1557 comm="login" name="log" dev=sdc ino=16386
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=dir
This will not fix you "read var_log_t lnk_file" issue
though. I would
probably try labelling the symlink type bin_t, and see if that works.
I have just discovered this 'magical' type. I use xtunnels (voip proxy)
and was worried that I would need to define a whole new policy for it
(it 'binds' to one particular port, but then uses a whole range of
random ports 1024-65535 to connect externally) - I was dreading it, but
when I started it it did bind to the port (no alerts!) and later on I
discovered that it has a "bin_t" type. Interesting!