> On Wed, Oct 7, 2009 at 11:45 AM, <m.roth at 5-cent.us> wrote: >>> Quoting m.roth at 5-cent.us: >>> >>>> Have I mentioned that I am less than enthralled with selinux? >>>> >>>> My latest issue is continuing messages in the /var/log/messages, which >>>> complain, for example, that siteminder can't write to smagent log <snip> >> Then we can go to: >> <...> avc: denied { write } for pid=5898 comm="LLAWP" >> path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever> >> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0 >> tclass=file > > Don't know selinux. Wish I didn't have to.... > > when i have had init scripts write to new /var/log/ log files , i had > to change them to be system_t or it would fail. Files under /tmp/ had > to have a special label as well. So i wonder if you tried changing > the log file to the system_t context and it also fails. Wouldn't it > have to have both the system and http context? i went as far as I've set the role, user, and context of both LLAWP (siteminder), and the logfile, identical to another server that does *not* complain. You begin to see my frustration, esp. when I have to skim through logs that have a dozen, or two dozen, of these (and others) every hour, to find other more important messages. <snip> mark