CentOS - Sep 2008 - DNS Logging with Selinux enabled

I rebuilt my server and setup bind to log queries in a chroot. 


################################################################################
# Logging Configuration
#
logging {
    #
    # Define channels for the two log files
    #
    channel query_log {
        severity info;
        print-time yes;
	file "/var/log/query.log" versions 3 size 100M;
    };
    channel activity_log {
        severity info;
        print-time yes;
        print-category yes;
        print-severity yes;
	file "/var/log/activity.log" versions 3 size 100M;


Below is the security context of the files in the chroot.


[root at josh log]# ls -alZ /var/named/chroot/var/log/activity.log
-rw-r--r--  named    named    root:object_r:named_conf_t      
/var/named/chroot/var/log/activity.log

[root at josh log]# ls -alZ /var/named/chroot/var/log/query.log
-rw-r--r--  named    named    root:object_r:named_conf_t      
/var/named/chroot/var/log/query.log

I temporarily disabled selinux but there was one simple step I missed (forgot
since i did this years ago). I briefly recall creating a
symlink and/or using chcon or one of the selinux commands.

Thanks,
Josh

Josh Donovan wrote:
> I rebuilt my server and setup bind to log queries in a chroot. 
> [root at josh log]# ls -alZ /var/named/chroot/var/log/activity.log
> -rw-r--r--  named    named    root:object_r:named_conf_t      
/var/named/chroot/var/log/activity.log
That should be root:object_r:named_log_t, IIRC.

Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080910/e0915cca/attachment-0002.sig>

--- On Wed, 10/9/08, Ralph Angenendt <ra+centos at br-online.de> wrote:
> From: Ralph Angenendt <ra+centos at br-online.de>
> Subject: Re: [CentOS] DNS Logging with Selinux enabled
> To: centos at centos.org
> Date: Wednesday, 10 September, 2008, 9:27 AM
> Josh Donovan wrote:
> > I rebuilt my server and setup bind to log queries in a
> chroot. 
> > [root at josh log]# ls -alZ
> /var/named/chroot/var/log/activity.log
> > -rw-r--r--  named    named   
> root:object_r:named_conf_t      
> /var/named/chroot/var/log/activity.log
> 
> That should be root:object_r:named_log_t, IIRC.
> 
> Ralph
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
[root at josh named]# ls -alZ
drwxrwx---  named    named    root:object_r:named_log_t        .
drwxrwx---  root     root     system_u:object_r:named_log_t    ..
-rw-------  named    named    system_u:object_r:named_log_t    activity.log
-rw-------  named    named    system_u:object_r:named_log_t    query.log

How do I get root:object_r:named_log_t as  its now system_u:object_r:named_log_t
on the logs?

Thanks,
Josh