The message was as follows:
'SELinux is preventing /usr/sbin/rsyslogd from write access on the directory /var/log/radius.#012#012*****'
After inspecting the SELinux label:
ls -Z /var/log/radius
drwx------. radiusd radiusd system_u:object_r:unlabeled_t:s0 radacct
-rw-r-----. radiusd radiusd system_u:object_r:unlabeled_t:s0 radius.log
-rw-r-----. radiusd radiusd system_u:object_r:unlabeled_t:s0 radius.log-1234567.gz
It was clear that the typical 'var_log_t' context was absent and hence preventing rsyslog from writing logs.
The 'var_log_t' defines common logging directories / files.
In order to assign a context we can issue the following:
chcon system_u:object_r:var_log_t:s0 /var/log/radius && chcon system_u:object_r:var_log_t:s0 /var/log/radius/*
Warning: Using chcon will not make the change of context permanent - we need to use semanage to ensure changes remain in tact after system relabel or the restorecon command.
semanage fcontext -a -t var_log_t "/var/log/radius(/.*)?"
The last part of the command instructs all existing files (and newly created ones) to be of the 'var_log_t' context within the '/var/log/radius' directory.
Finally confirm our changes (using restorecon as well to ensure changes are permanent):
restorecon -R -v /var/log/radius
ls -Z
No comments:
Post a Comment