Сделайте это (с этого времени, я предполагаю, что мы находимся в корневом каталоге кота):
К каждому возникновению "шаблона URL" добавьте "/менеджер" строка. Так, например, это: <url-pattern>/html/*</url-pattern>
становится этим: <url-pattern>/manager/html/*</url-pattern>
. Сохраните файл.
Кот перезапуска
A quick fix would be to change the log file to be /var/log/openvpn-status.log
as the openvpn process is running as openvpn_t
and it has permission within the policy to write to files labelled var_log_t
(as /var/log should be).
The default context for /var/log/openvpn
is openvpn_var_log_t
matchpathcon /var/log/openvpn
/var/log/openvpn system_u:object_r:openvpn_var_log_t:s0
A longer process that requires slightly more management is to allow openvpn_t
to write to openvpn_var_log_t
which is the context that /var/log/openvpn gets e.g.
echo "host kernel: type=1400 audit(1384344598.334:39761): avc: denied { read write } for pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir" | audit2allow -M localOpenVpn
which will generate a .pp file that you can install
semodule -i localOpenVpn.pp
Don't forget to store the localOpenVpn.te and localOpenVpn.pp somewhere safe.
For Jiri Xichtkniha
If you look at the generated .te file amongst other things it says
#============= openvpn_t ==============
#!!!! The source type 'openvpn_t' can write to a 'dir' of the following types:
# net_conf_t, pcscd_var_run_t, openvpn_etc_t, openvpn_tmp_t, openvpn_var_run_t,
tmp_t, etc_t, var_run_t, var_log_t, krb5_host_rcache_t, tmp_t, cluster_var_lib_t,
cluster_var_run_t, root_t, cluster_conf_t
Note that openvpn_var_log_t
isn't listed.
I don't use OpenVPN but you have different path to log than prepared OpenVPN policy uses. This would make it work.
# semanage fcontext -a -t openvpn_var_log_t '/var/log/openvpn(/.*)?'
# semanage fcontext -l | grep openvpn_var_log_t
/var/log/openvpn(/.*)? all files system_u:object_r:openvpn_var_log_t:s0
/var/log/openvpn.* all files system_u:object_r:openvpn_var_log_t:s0
The original policy is last line. As you can see it would just accept 'openvpn.*' but this does not recurse to subdir.