[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[LDM #ZXW-147529]: Installation procedures



Mick,

> I was going to lean into the strike zone and suggest an improvement to
> the installation procedures, specifically "LDM Preinstallation Steps"
> (http://www.unidata.ucar.edu/software/ldm/ldm-6.8.1/basics/preinstallation.html
> - - while this is for 6.8.1, I would imagine the instructions are similar
> for other versions as well).
> 
> In the root preinstallation steps you suggest:
> 
> ==========8<===========
> If the operating system is Linux and the file /etc/selinux/config exists
> and contains the variable SELINUX, then that variable must be set to
> disabled in order to allow the syslog(8)  daemon to write log messages
> to the LDM logfile. The computer must be rebooted for this change to
> take effect.
> ==========8<===========
> 
> I would suggest a less "chop the head off to cure a headache" method,
> allowing sites using SELinux to maintain that. It's all about file
> contexts, and if one uses the "ls -Z' command to view existing files in
> /var/log, one sees that the context of most files (that are touched by
> syslogd) is "var_log_t". Instead of trying to remember that, the SELinux
> command to change context of files (chcon) can use an existing file as a
> template or reference file:
> 
> $ chcon -vv --reference=/var/log/messages /usr/local/ldm/logs/ldmd.log
> 
> The '-vv' is just a feelgood switch that shows that the file actually is
> processed by chcon.
> 
> To verify that the context has been changed from "usr_t" to "var_log_t",
> just run
> 
> $ ls -Z /usr/local/ldm/logs/ldmd.log

This is great!  With all the operating systems we have around here (about a 
dozen) and all the work that's piled-up, none of us had the time to investigate 
SELinux sufficiently to determine what needed to be done to allow the system 
logging daemon to write to the LDM log file.

So, all a user would need to do would be to execute the chcon(1) as you've 
indicated to fix this problem?  Would the command have to be executed by the 
superuser?
What about when the log files are "rotated" (i.e., a new log file is created)?  
Would the command have to be re-executed?

> Thank you for your time.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAktOQfQACgkQDM+Tu2PL5j8QQACfW+GA6ErhSNF6DVtqygLRUnXp
> 0BcAn3K+GLVmEqCiihJktfEU1sjhJJdE
> =NBa2
> -----END PGP SIGNATURE-----


Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: ZXW-147529
Department: Support LDM
Priority: Normal
Status: Closed